Guide to the Secure Configuration of SUSE Linux Enterprise 15

with profile Public Cloud Hardening for SUSE Linux Enterprise 15
This profile contains configuration checks to be used to harden SUSE Linux Enterprise 15 for use with public cloud providers.
The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant configuration settings for SUSE Linux Enterprise 15. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetopenqa-suse-de-3b72c31b4a85652c.hx3rjvb3hsvuzngwbiedo0hhec.dx.internal.cloudapp.net
Benchmark URL#scap_org.open-scap_comp_ssg-sle15-xccdf.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_SLE-15
Benchmark version0.1.69
Profile IDxccdf_org.ssgproject.content_profile_pcs-hardening
Started at2023-10-10T09:45:06+00:00
Finished at2023-10-10T09:45:07+00:00
Performed byroot
Test systemcpe:/a:redhat:openscap:1.3.6

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.0.1.4
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:6245:bdff:fe0a:183d
  • MAC  00:00:00:00:00:00
  • MAC  60:45:BD:0A:18:3D

Compliance and Scoring

The target system did not satisfy the conditions of 4 rules! Please review rule results and consider applying remediation.

Rule results

157 passed
4 failed
0 other

Severity of failed rules

0 other
0 low
4 medium
0 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default98.680557100.000000
98.68%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of SUSE Linux Enterprise 15 4x fail
System Settings 2x fail
Installing and Maintaining Software
System and Software Integrity
Software Integrity Checking
Verify Integrity with AIDE
Configure AIDE to Verify the Audit Toolsmedium
pass
Configure Periodic Execution of AIDEmedium
pass
Configure AIDE to Verify Access Control Lists (ACLs)low
pass
Configure AIDE to Verify Extended Attributeslow
pass
Sudo
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptymedium
pass
Ensure Sudo Logfile Exists - sudo logfilelow
pass
Updating Software
Ensure gpgcheck Enabled In Main zypper Configurationhigh
pass
Account and Access Control 2x fail
Warning Banners for System Accesses
Modify the System Login Bannermedium
pass
Modify the System Message of the Day Bannermedium
pass
Verify Group Ownership of System Login Bannermedium
pass
Verify ownership of System Login Bannermedium
pass
Protect Accounts by Configuring PAM
Set Lockouts for Failed Password Attempts
Limit Password Reusemedium
pass
Enforce Delay After Failed Logon Attemptsmedium
pass
Set Deny For Failed Password Attemptsmedium
pass
Set Password Quality Requirements
Set Password Quality Requirements, if using pam_cracklib
Set Password Strength Minimum Digit Charactersmedium
pass
Set Password Strength Minimum Different Charactersmedium
pass
Set Password Strength Minimum Lowercase Charactersmedium
pass
Set Password Minimum Lengthmedium
pass
Set Password Strength Minimum Special Charactersmedium
pass
Set Password Retry Limitmedium
pass
Set Password Strength Minimum Uppercase Charactersmedium
pass
Set Password Hashing Algorithm
Set PAM's Common Authentication Hashing Algorithmmedium
pass
Set PAM''s Password Hashing Algorithmmedium
pass
Protect Physical Console Access
Configure Screen Locking
Configure Smart Card Certificate Authority Validationmedium
pass
Configure Smart Card Certificate Status Checkingmedium
pass
Disable Ctrl-Alt-Del Burst Actionhigh
pass
Protect Accounts by Restricting Password-Based Login 2x fail
Set Password Expiration Parameters 2x fail
Set Existing Passwords Maximum Agemedium
fail
Set Existing Passwords Minimum Agemedium
fail
Restrict Root Logins
Direct root Logins Not Allowedmedium
pass
Secure Session Configuration Files for Login Accounts
Ensure that Users Have Sensible Umask Values
Ensure the Default Umask is Set Correctly in /etc/profilemedium
pass
Set Interactive Session Timeoutmedium
pass
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivemedium
pass
System Accounting with auditd
Configure auditd Rules for Comprehensive Auditing
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmodmedium
pass
Record Events that Modify the System's Discretionary Access Controls - chownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodatmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchownatmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fsetxattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lchownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lsetxattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - setxattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - umountmedium
pass
Record Events that Modify the System's Discretionary Access Controls - umount2medium
pass
Record Execution Attempts to Run ACL Privileged Commands
Record Any Attempts to Run chaclmedium
pass
Record Any Attempts to Run chmodmedium
pass
Record Any Attempts to Run setfaclmedium
pass
Record Execution Attempts to Run SELinux Privileged Commands
Record Any Attempts to Run chconmedium
pass
Record Any Attempts to Run rmmedium
pass
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by User - renamemedium
pass
Ensure auditd Collects File Deletion Events by User - renameatmedium
pass
Ensure auditd Collects File Deletion Events by User - unlinkatmedium
pass
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unsuccessful Access Attempts to Files - creatmedium
pass
Record Unsuccessful Access Attempts to Files - ftruncatemedium
pass
Record Unsuccessful Access Attempts to Files - openmedium
pass
Record Unsuccessful Access Attempts to Files - open_by_handle_atmedium
pass
Record Unsuccessful Access Attempts to Files - openatmedium
pass
Record Unsuccessful Delete Attempts to Files - renamemedium
pass
Record Unsuccessful Delete Attempts to Files - renameatmedium
pass
Record Unsuccessful Delete Attempts to Files - renameat2medium
pass
Record Unsuccessful Access Attempts to Files - truncatemedium
pass
Record Unsuccessful Delete Attempts to Files - unlinkatmedium
pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
pass
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulemedium
pass
Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
pass
Record Information on the Use of Privileged Commands
Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - chfnmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - insmodmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - kmodmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - modprobemedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - passmassmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - passwdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - rmmodmedium
pass
Record Any Attempts to Run ssh-agentmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
pass
Ensure auditd Collects Information on the Use of Privileged Commands - usermodmedium
pass
Records Events that Modify Date and Time Information
Record attempts to alter time through adjtimexmedium
pass
Record Attempts to Alter Time Through clock_settimemedium
pass
Record attempts to alter time through settimeofdaymedium
pass
Record Attempts to Alter Time Through stimemedium
pass
Record Attempts to Alter the localtime Filemedium
pass
Remove Default Configuration to Disable Syscall Auditingmedium
pass
Make the auditd Configuration Immutablemedium
pass
Record Events that Modify the System's Mandatory Access Controlsmedium
pass
Ensure auditd Collects Information on Exporting to Media (successful)medium
pass
Record Events that Modify the System's Network Environmentmedium
pass
Record Attempts to Alter Process and Session Initiation Informationmedium
pass
Record Attempts to Alter Process and Session Initiation Information btmpmedium
pass
Record Attempts to Alter Process and Session Initiation Information utmpmedium
pass
Record Attempts to Alter Process and Session Initiation Information wtmpmedium
pass
Record Events When Privileged Executables Are Runmedium
pass
Ensure auditd Collects System Administrator Actionsmedium
pass
Record Events that Modify User/Group Information - /etc/groupmedium
pass
Record Events that Modify User/Group Information - /etc/gshadowmedium
pass
Record Events that Modify User/Group Information - /etc/security/opasswdmedium
pass
Record Events that Modify User/Group Information - /etc/passwdmedium
pass
Record Events that Modify User/Group Information - /etc/shadowmedium
pass
Configure auditd Data Retention
Encrypt Audit Records Sent With audispd Pluginmedium
pass
Configure auditd Disk Full Action when Disk Space Is Fullmedium
pass
Configure auditd admin_space_left Action on Low Disk Spacemedium
pass
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
pass
Configure auditd space_left on Low Disk Spacemedium
pass
Configure auditd space_left Action on Low Disk Spacemedium
pass
Configure Syslog
systemd-journald
Ensure journald is configured to compress large log filesmedium
pass
Ensure journald is configured to write log files to persistent diskmedium
pass
Network Configuration and Firewalls
Uncommon Network Protocols
Disable DCCP Supportmedium
pass
Disable SCTP Supportmedium
pass
File Permissions and Masks
Verify Permissions on Important Files and Directories
Verify Permissions and Ownership of Old Passwords Filemedium
pass
Verify Permissions on shadow Filemedium
pass
Verify File Permissions Within Some Important Directories
Verify that system commands files are group owned by root or a system accountmedium
pass
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable Mounting of squashfslow
pass
Disable Mounting of udflow
pass
Disable Modprobe Loading of USB Storage Drivermedium
pass
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable Core Dumps for All Usersmedium
pass
Services 2x fail
Cron and At Daemons
Verify Permissions on cron.dmedium
pass
Verify Permissions on cron.dailymedium
pass
Verify Permissions on cron.hourlymedium
pass
Verify Permissions on cron.monthlymedium
pass
Verify Permissions on cron.weeklymedium
pass
Network Time Protocol
Ensure that chronyd is running under chrony user accountmedium
pass
SSH Server 2x fail
Configure OpenSSH Server if Necessary 2x fail
Set SSH Client Alive Count Max to zeromedium
pass
Set SSH Client Alive Intervalmedium
pass
Disable SSH Root Loginmedium
fail
Disable SSH TCP Forwardingmedium
fail
Disable SSH Support for User Known Hostsmedium
pass
Disable X11 Forwardingmedium
pass
Enable SSH Warning Bannermedium
pass
Set SSH Daemon LogLevel to VERBOSEmedium
pass
Set SSH authentication attempt limitmedium
pass
Set SSH MaxSessions limitmedium
pass
Ensure SSH MaxStartups is configuredmedium
pass
Use Only FIPS 140-2 Validated Ciphersmedium
pass
Use Only FIPS 140-2 Validated Ciphersmedium
pass
Use Only FIPS 140-2 Validated MACsmedium
pass
Use Only FIPS 140-2 Validated MACsmedium
pass
Verify Permissions on SSH Server config filemedium
pass

Result Details

Configure AIDE to Verify the Audit Toolsxccdf_org.ssgproject.content_rule_aide_check_audit_tools mediumCCE-85610-4

Configure AIDE to Verify the Audit Tools

Rule IDxccdf_org.ssgproject.content_rule_aide_check_audit_tools
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_check_audit_tools:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85610-4

References:  CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-15-030630, SV-234962r622137_rule

Description
The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)24.10.160:0.16-24.170af9e8139db7c82aide-0:0.16-24.1.x86_64

auditctl is checked in /etc/aide.conf  oval:ssg-test_aide_verify_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

auditd is checked in /etc/aide.conf  oval:ssg-test_aide_verify_auditd:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

ausearch is checked in /etc/aide.conf  oval:ssg-test_aide_verify_ausearch:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

aureport is checked in /etc/aide.conf  oval:ssg-test_aide_verify_aureport:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

autrace is checked in /etc/aide.conf  oval:ssg-test_aide_verify_autrace:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

audispd is checked in /etc/aide.conf  oval:ssg-test_aide_verify_audispd:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

augenrules is checked in /etc/aide.conf  oval:ssg-test_aide_verify_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.conf/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-85671-6

Configure Periodic Execution of AIDE

Rule IDxccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_periodic_cron_checking:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85671-6

References:  BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010420, 1.4.2, SV-234851r622137_rule

Description
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * * root /usr/bin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * 0 root /usr/bin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
Rationale
By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)24.10.160:0.16-24.170af9e8139db7c82aide-0:0.16-24.1.x86_64

run aide with cron  oval:ssg-test_aide_periodic_cron_checking:tst:1  true

Following items have been found on the system:
PathContent
/etc/crontab05 4 * * * root /usr/bin/aide --check

run aide with cron  oval:ssg-test_aide_crond_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/cron.d^.*$^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/bin\/aide[\s]*\-\-check.*$1

run aide with cron  oval:ssg-test_aide_var_cron_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/var/spool/cron/root^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/bin\/aide[\s]*\-\-check.*$1

run aide with cron.(daily|weekly)  oval:ssg-test_aide_crontabs_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
^/etc/cron.(daily|weekly)$^.*$^[^#]*\/usr\/bin\/aide\s+\-\-check\s*$1
Configure AIDE to Verify Access Control Lists (ACLs)xccdf_org.ssgproject.content_rule_aide_verify_acls lowCCE-85623-7

Configure AIDE to Verify Access Control Lists (ACLs)

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_acls
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_verify_acls:def:1
Time2023-10-10T09:45:06+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-85623-7

References:  BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-15-040040, SV-234986r622137_rule

Description
By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf
Rationale
ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)24.10.160:0.16-24.170af9e8139db7c82aide-0:0.16-24.1.x86_64

acl is set in /etc/aide.conf  oval:ssg-test_aide_verify_acls:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.confLogs = p+i+n+u+g+S+acl+xattrs
/etc/aide.confBinlib = p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs
/etc/aide.confManPages = p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs
/etc/aide.confConfFiles = p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs
/etc/aide.confDatabases = p+n+u+g+acl+xattrs
/etc/aide.confStaticDir = p+i+n+u+g+acl+xattrs
/etc/aide.confDevices = p+i+n+u+g+s+b+c+sha256+sha512+acl+xattrs
Configure AIDE to Verify Extended Attributesxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes lowCCE-85624-5

Configure AIDE to Verify Extended Attributes

Rule IDxccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_verify_ext_attributes:def:1
Time2023-10-10T09:45:06+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-85624-5

References:  BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-15-040050, SV-234987r622137_rule

Description
By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf
Rationale
Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
aidex86_64(none)24.10.160:0.16-24.170af9e8139db7c82aide-0:0.16-24.1.x86_64

xattrs is set in /etc/aide.conf  oval:ssg-test_aide_verify_ext_attributes:tst:1  true

Following items have been found on the system:
PathContent
/etc/aide.confLogs = p+i+n+u+g+S+acl+xattrs
/etc/aide.confBinlib = p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs
/etc/aide.confManPages = p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs
/etc/aide.confConfFiles = p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs
/etc/aide.confDatabases = p+n+u+g+acl+xattrs
/etc/aide.confStaticDir = p+i+n+u+g+acl+xattrs
/etc/aide.confDevices = p+i+n+u+g+s+b+c+sha256+sha512+acl+xattrs
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptyxccdf_org.ssgproject.content_rule_sudo_add_use_pty mediumCCE-91190-9

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Rule IDxccdf_org.ssgproject.content_rule_sudo_add_use_pty
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_add_use_pty:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91190-9

References:  BP28(R58), Req-10.2.5, 10.2.1.5, 1.3.2

Description
The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
Rationale
Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.
OVAL test results details

use_pty exists in /etc/sudoers or /etc/sudoers.d/  oval:ssg-test_use_pty_sudoers:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults use_pty
Ensure Sudo Logfile Exists - sudo logfilexccdf_org.ssgproject.content_rule_sudo_custom_logfile lowCCE-91311-1

Ensure Sudo Logfile Exists - sudo logfile

Rule IDxccdf_org.ssgproject.content_rule_sudo_custom_logfile
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_custom_logfile:def:1
Time2023-10-10T09:45:06+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-91311-1

References:  Req-10.2.5, 10.2.1.5, 1.3.3

Description
A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.
Rationale
A sudo log file simplifies auditing of sudo commands.
OVAL test results details

logfile exists in /etc/sudoers or /etc/sudoers.d/  oval:ssg-test_logfile_sudoers:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults logfile=/var/log/sudo.log
Ensure gpgcheck Enabled In Main zypper Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-83290-7

Ensure gpgcheck Enabled In Main zypper Configuration

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_globally_activated:def:1
Time2023-10-10T09:45:06+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-83290-7

References:  BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, SLES-15-010430, 1.2.3, SV-234852r622137_rule

Description
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure zypper to check package signatures before installing them, ensure the following line appears in /etc/zypp/zypp.conf in the [main] section: 
gpgcheck=1
Rationale
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
OVAL test results details

check value of gpgcheck in /etc/zypp/zypp.conf  oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1  true

Following items have been found on the system:
PathContent
/etc/zypp/zypp.confgpgcheck = 1
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-83262-6

Modify the System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-banner_etc_issue:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83262-6

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, SLES-15-010020, 1.8.1.2, SV-234803r622137_rule

Description
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
OVAL test results details

correct banner in /etc/issue  oval:ssg-test_banner_etc_issue:tst:1  true

Following items have been found on the system:
PathContent
/etc/issue.d/99-oscap-settingAuthorized uses only. All activity may be monitored and reported.
/etc/issue.d/80-hostinfo-00-space
/etc/issue.d/00-OS
/etc/issue.d/90-OS
/etc/issue Welcome to SUSE Linux Enterprise Server 15 SP5 (x86_64) - Kernel \r (\l). eth0: \4{eth0} \6{eth0} Current As Of: Tue Oct 10 09:40:42 2023 Network Interfaces eth0: (Unconfigured) Authorized uses only. All activity may be monitored and reported.
/etc/issue.d/80-hostinfo-02-dateCurrent As Of: Tue Oct 10 09:40:42 2023
/etc/issue.d/80-hostinfo-06-networkNetwork Interfaces eth0: (Unconfigured)
Modify the System Message of the Day Bannerxccdf_org.ssgproject.content_rule_banner_etc_motd mediumCCE-91349-1

Modify the System Message of the Day Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_motd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-banner_etc_motd:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91349-1

References:  1.8.1.1

Description
To configure the system message banner edit /etc/motd. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OR:

I've read & consent to terms in IS user agreem't.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
OVAL test results details

correct banner in /etc/motd  oval:ssg-test_banner_etc_motd:tst:1  true

Following items have been found on the system:
PathContent
/etc/motdAuthorized uses only. All activity may be monitored and reported.
Verify Group Ownership of System Login Bannerxccdf_org.ssgproject.content_rule_file_groupowner_etc_issue mediumCCE-91355-8

Verify Group Ownership of System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_issue:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91355-8

References:  1.8.1.5

Description
To properly set the group owner of /etc/issue, run the command: 
$ sudo chgrp root /etc/issue
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner.
OVAL test results details

Testing group ownership of /etc/issue.d/  oval:ssg-test_file_groupowner_etc_issue_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_issue_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/etc/issue.d^.*$oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1
Verify ownership of System Login Bannerxccdf_org.ssgproject.content_rule_file_owner_etc_issue mediumCCE-91356-6

Verify ownership of System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_issue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_issue:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91356-6

References:  1.8.1.5

Description
To properly set the owner of /etc/issue, run the command: 
$ sudo chown root /etc/issue
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner.
OVAL test results details

Testing user ownership of /etc/issue.d/  oval:ssg-test_file_owner_etc_issue_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_issue_0:obj:1 of type file_object
BehaviorsPathFilenameFilterFilter
no value/etc/issue.d^.*$oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1
Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember mediumCCE-91398-8

Limit Password Reuse

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwhistory_remember:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91398-8

References:  CCI-000200, SRG-OS-000077-GPOS-00045, 5.3.3

Description
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM modules.

In the file /etc/pam.d/common-password, make sure the parameters remember and use_authtok are present, and that the value for the remember parameter is 5 or greater. For example: 
password requisite pam_pwhistory.so ...existing_options... remember=5 use_authtok
The DoD STIG requirement is 5 passwords.
Rationale
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
OVAL test results details

Verify remember configuation of pam_pwhistory.so  oval:ssg-test_pam_password_pam_pwhistory_remember:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_pwhistory.so remember=5 use_authtok

Verify use_authtok configuation of pam_pwhistory.so  oval:ssg-test_pam_password_pam_pwhistory_use_authtok:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_pwhistory.so remember=5 use_authtok
Enforce Delay After Failed Logon Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay mediumCCE-85619-5

Enforce Delay After Failed Logon Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faildelay_delay:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85619-5

References:  CCI-000366, SRG-OS-000480-GPOS-00226, SLES-15-040000, SV-234982r622137_rule

Description
To configure the system to introduce a delay after failed logon attempts, add or correct the pam_faildelay settings in /etc/pam.d/common-auth to make sure its delay parameter is at least 4000000 or greater. For example: 
auth required pam_faildelay.so delay=4000000
Rationale
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
OVAL test results details

Verify delay configuation of pam_faildelay.so  oval:ssg-test_pam_auth_pam_faildelay_delay:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-authauth required pam_faildelay.so delay=4000000
Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2 mediumCCE-85554-4

Set Deny For Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_tally2:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85554-4

References:  CCI-000044, Req-8.1.6, 8.3.4, SRG-OS-000021-GPOS-00005, SLES-15-020010, 5.3.2, SV-234867r622137_rule

Description
The SUSE Linux Enterprise 15 operating system must lock an account after - at most - 5 consecutive invalid access attempts.
Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. To configure the operating system to lock an account after three unsuccessful consecutive access attempts using pam_tally2.so, modify the content of both /etc/pam.d/login and /etc/pam.d/common-account as follows:

  • add or modify the pam_tally2.so module line in /etc/pam.d/login to ensure both onerr=fail and deny=5 are present. For example: 
    auth required pam_tally2.so onerr=fail silent audit deny=5
  • add or modify the following line in /etc/pam.d/common-account: 
    account required pam_tally2.so
OVAL test results details

Verify deny configuation of pam_tally2  oval:ssg-test_accounts_passwords_pam_tally2_deny_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/loginauth required pam_tally2.so deny=5 onerr=fail

Verify deny configuation of pam_tally2_account  oval:ssg-test_accounts_passwords_pam_tally2_deny_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-accountaccount required pam_tally2.so
Set Password Strength Minimum Digit Charactersxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit mediumCCE-85564-3

Set Password Strength Minimum Digit Characters

Rule IDxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-cracklib_accounts_password_pam_dcredit:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85564-3

References:  CCI-000194, Req-8.2.3, 8.3.6, SRG-OS-000071-GPOS-00039, SLES-15-020150, 5.3.1, SV-234884r622137_rule

Description
The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords.
Rationale
Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

Verify dcredit configuation of pam_cracklib.so  oval:ssg-test_pam_password_pam_cracklib_dcredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_cracklib.so minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 difok=8 retry=3
Set Password Strength Minimum Different Charactersxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok mediumCCE-85677-3

Set Password Strength Minimum Different Characters

Rule IDxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-cracklib_accounts_password_pam_difok:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85677-3

References:  CCI-000195, IA-5(1).1(v), IA-5(1)(b), SRG-OS-000072-GPOS-00040, SLES-15-020160, SV-234885r622137_rule

Description
The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. Make sure the difok parameter for the pam_cracklib module is configured to greater than or equal to 8.
Rationale
Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
OVAL test results details

Verify difok configuation of pam_cracklib.so  oval:ssg-test_pam_password_pam_cracklib_difok:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_cracklib.so minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 difok=8 retry=3
Set Password Strength Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit mediumCCE-85676-5

Set Password Strength Minimum Lowercase Characters

Rule IDxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-cracklib_accounts_password_pam_lcredit:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85676-5

References:  CCI-000193, IA-5(1)(a), IA-5(1).1(v), Req-8.2.3, 8.3.6, SRG-OS-000070-GPOS-00038, SLES-15-020140, 5.3.1, SV-234883r622137_rule

Description
The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords.
Rationale
Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

Verify lcredit configuation of pam_cracklib.so  oval:ssg-test_pam_password_pam_cracklib_lcredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_cracklib.so minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 difok=8 retry=3
Set Password Minimum Lengthxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen mediumCCE-85573-4

Set Password Minimum Length

Rule IDxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-cracklib_accounts_password_pam_minlen:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85573-4

References:  CCI-000205, Req-8.2.3, 8.3.6, SRG-OS-000078-GPOS-00046, SLES-15-020260, 5.3.1, SV-234895r622137_rule

Description
The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 to set minimum password length requirements.
Rationale
Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
OVAL test results details

Verify minlen configuation of pam_cracklib.so  oval:ssg-test_pam_password_pam_cracklib_minlen:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_cracklib.so minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 difok=8 retry=3
Set Password Strength Minimum Special Charactersxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit mediumCCE-85574-2

Set Password Strength Minimum Special Characters

Rule IDxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-cracklib_accounts_password_pam_ocredit:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85574-2

References:  CCI-001619, IA-5(a), IA-5(v), Req-8.2.3, 8.3.6, SRG-OS-000266-GPOS-00101, SLES-15-020270, 5.3.1, SV-234896r622137_rule

Description
The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Make sure the ocredit parameter for the pam_cracklib module is set to less than or equal to -1. For example, ocredit=-1.
Rationale
Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

Verify ocredit configuation of pam_cracklib.so  oval:ssg-test_pam_password_pam_cracklib_ocredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_cracklib.so minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 difok=8 retry=3
Set Password Retry Limitxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry mediumCCE-85575-9

Set Password Retry Limit

Rule IDxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-cracklib_accounts_password_pam_retry:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85575-9

References:  CCI-000366, Req-8.1.6, Req-8.1.7, 8.3.4, SRG-OS-000480-GPOS-00225, SLES-15-020290, 5.3.1, SV-234897r622137_rule

Description
The pam_cracklib module's retry parameter controls the maximum number of times to prompt the user for the password before returning with error. Make sure it is configured with a value that is no more than 3. For example, retry=1.
Rationale
To reduce opportunities for successful guesses and brute-force attacks.
OVAL test results details

Verify retry configuation of pam_cracklib.so  oval:ssg-test_pam_password_pam_cracklib_retry:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_cracklib.so minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 difok=8 retry=3 password required pam_unix.so use_authtok nullok shadow try_first_pass sha512
Set Password Strength Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit mediumCCE-85675-7

Set Password Strength Minimum Uppercase Characters

Rule IDxccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-cracklib_accounts_password_pam_ucredit:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85675-7

References:  CCI-000192, IA-5(1)(a), IA-5(1).1(v), Req-8.2.3, 8.3.6, SRG-OS-000069-GPOS-00037, SLES-15-020130, 5.3.1, SV-234882r622137_rule

Description
The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords.
Rationale
Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

Verify ucredit configuation of pam_cracklib.so  oval:ssg-test_pam_password_pam_cracklib_ucredit:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword requisite pam_cracklib.so minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 difok=8 retry=3
Set PAM's Common Authentication Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_commonauth mediumCCE-85754-0

Set PAM's Common Authentication Hashing Algorithm

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_commonauth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_commonauth:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85754-0

References:  CCI-000803, IA-7, IA-7.1, Req-8.2.1, 8.3.2, SRG-OS-000120-GPOS-00061

Description
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/common-auth, the auth section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the auth section to include the argument sha512, as shown below: 
auth   required    pam_unix.so sha512 other arguments...

This will help ensure when local users change their authentication method, hashes for the new authentications will be generated using the SHA-512 algorithm. This is the default.
Rationale
Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and data may be compromised. This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

Verify sha512 configuation of pam_unix.so  oval:ssg-test_pam_auth_pam_unix_sha512:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-authauth required pam_unix.so try_first_pass sha512 auth required pam_faildelay.so delay=4000000
Set PAM''s Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-85565-0

Set PAM''s Password Hashing Algorithm

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_systemauth:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85565-0

References:  BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SLES-15-020170, SV-234886r622137_rule

Description
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/common-password", the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: 
password    required    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

check /etc/pam.d/system-auth for correct settings  oval:ssg-test_pam_unix_sha512:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/common-passwordpassword required pam_unix.so use_authtok nullok shadow try_first_pass sha512
Configure Smart Card Certificate Authority Validationxccdf_org.ssgproject.content_rule_smartcard_configure_ca mediumCCE-83272-5

Configure Smart Card Certificate Authority Validation

Rule IDxccdf_org.ssgproject.content_rule_smartcard_configure_ca
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-smartcard_configure_ca:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83272-5

References:  CCI-000185, CCI-001991, SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167, SLES-15-010170, SV-234817r622137_rule

Description
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ca like so: 
cert_policy = ca, ocsp_on, signature;
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
OVAL test results details

package pam_pkcs11 is installed  oval:ssg-test_package_pam_pkcs11_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pam_pkcs11x86_64(none)1.170.6.100:0.6.10-1.1770af9e8139db7c82pam_pkcs11-0:0.6.10-1.17.x86_64

package mozilla-nss is installed  oval:ssg-test_package_mozilla-nss_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
mozilla-nssx86_64(none)150400.3.32.13.900:3.90-150400.3.32.170af9e8139db7c82mozilla-nss-0:3.90-150400.3.32.1.x86_64

package mozilla-nss-tools is installed  oval:ssg-test_package_mozilla-nss-tools_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
mozilla-nss-toolsx86_64(none)150400.3.32.13.900:3.90-150400.3.32.170af9e8139db7c82mozilla-nss-tools-0:3.90-150400.3.32.1.x86_64

package pcsc-ccid is installed  oval:ssg-test_package_pcsc-ccid_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pcsc-ccidx86_64(none)150400.1.51.4.360:1.4.36-150400.1.570af9e8139db7c82pcsc-ccid-0:1.4.36-150400.1.5.x86_64

package pcsc-lite is installed  oval:ssg-test_package_pcsc-lite_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pcsc-litex86_64(none)150400.1.91.9.40:1.9.4-150400.1.970af9e8139db7c82pcsc-lite-0:1.9.4-150400.1.9.x86_64

package pcsc-tools is installed  oval:ssg-test_package_pcsc-tools_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pcsc-toolsx86_64(none)150400.1.61.5.80:1.5.8-150400.1.670af9e8139db7c82pcsc-tools-0:1.5.8-150400.1.6.x86_64

package opensc is installed  oval:ssg-test_package_opensc_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openscx86_64(none)150400.3.3.10.22.00:0.22.0-150400.3.3.170af9e8139db7c82opensc-0:0.22.0-150400.3.3.1.x86_64

Test ca in /etc/pam_pkcs11/pkcs11.conf  oval:ssg-test_pam_pkcs11_cert_policy_ca:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, ocsp_on, signature;
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, ocsp_on, signature;
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, ocsp_on, signature;
Configure Smart Card Certificate Status Checkingxccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking mediumCCE-83293-1

Configure Smart Card Certificate Status Checking

Rule IDxccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-smartcard_configure_cert_checking:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83293-1

References:  CCI-001948, CCI-001953, CCI-001954, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000384-GPOS-00167, SLES-15-010470, SV-234855r622137_rule

Description
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so: 
cert_policy = ca, ocsp_on, signature;
Rationale
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
OVAL test results details

package pam_pkcs11 is installed  oval:ssg-test_package_pam_pkcs11_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pam_pkcs11x86_64(none)1.170.6.100:0.6.10-1.1770af9e8139db7c82pam_pkcs11-0:0.6.10-1.17.x86_64

package mozilla-nss is installed  oval:ssg-test_package_mozilla-nss_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
mozilla-nssx86_64(none)150400.3.32.13.900:3.90-150400.3.32.170af9e8139db7c82mozilla-nss-0:3.90-150400.3.32.1.x86_64

package mozilla-nss-tools is installed  oval:ssg-test_package_mozilla-nss-tools_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
mozilla-nss-toolsx86_64(none)150400.3.32.13.900:3.90-150400.3.32.170af9e8139db7c82mozilla-nss-tools-0:3.90-150400.3.32.1.x86_64

package pcsc-ccid is installed  oval:ssg-test_package_pcsc-ccid_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pcsc-ccidx86_64(none)150400.1.51.4.360:1.4.36-150400.1.570af9e8139db7c82pcsc-ccid-0:1.4.36-150400.1.5.x86_64

package pcsc-lite is installed  oval:ssg-test_package_pcsc-lite_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pcsc-litex86_64(none)150400.1.91.9.40:1.9.4-150400.1.970af9e8139db7c82pcsc-lite-0:1.9.4-150400.1.9.x86_64

package pcsc-tools is installed  oval:ssg-test_package_pcsc-tools_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
pcsc-toolsx86_64(none)150400.1.61.5.80:1.5.8-150400.1.670af9e8139db7c82pcsc-tools-0:1.5.8-150400.1.6.x86_64

package opensc is installed  oval:ssg-test_package_opensc_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openscx86_64(none)150400.3.3.10.22.00:0.22.0-150400.3.3.170af9e8139db7c82opensc-0:0.22.0-150400.3.3.1.x86_64

Test ocsp_on in /etc/pam_pkcs11/pam_pkcs11.conf  oval:ssg-test_pam_pkcs11_all_cert_policy_ocsp_on:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, ocsp_on, signature;
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, ocsp_on, signature;
/etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca, ocsp_on, signature;
Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-85665-8

Disable Ctrl-Alt-Del Burst Action

Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_ctrlaltdel_burstaction:def:1
Time2023-10-10T09:45:06+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-85665-8

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(b), CM-6.1(iv), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, SLES-15-040062, SV-234990r622137_rule

Description
By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: 
CtrlAltDelBurstAction=none
Rationale
A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
Warnings
warning  Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.
OVAL test results details

check if CtrlAltDelBurstAction is set to none  oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/system.confCtrlAltDelBurstAction=none
Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-85571-8

Set Existing Passwords Maximum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_max_life_existing:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85571-8

References:  CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, SLES-15-020230, 5.4.1.2, SV-234892r622137_rule

Description
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: 
$ sudo chage -M 60 USER
Rationale
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
  set_fact:
    var_accounts_maximum_age_login_defs: !!str 60
  tags:
    - always

- name: Collect users with not correct maximum time period between password changes
  ansible.builtin.command:
    cmd: awk -F':' '(/^[^:]+:[^!*]/ && ($5 > {{ var_accounts_maximum_age_login_defs
      }} || $5 == "")) {print $1}' /etc/shadow
  register: user_names
  tags:
  - CCE-85571-8
  - DISA-STIG-SLES-15-020230
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - accounts_password_set_max_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Change the maximum time period between password changes
  ansible.builtin.command:
    cmd: passwd -q -x {{ var_accounts_maximum_age_login_defs }} {{ item }}
  with_items: '{{ user_names.stdout_lines }}'
  when: user_names.stdout_lines | length > 0
  tags:
  - CCE-85571-8
  - DISA-STIG-SLES-15-020230
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - accounts_password_set_max_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

var_accounts_maximum_age_login_defs='60'


while IFS= read -r i; do
    
    passwd -q -x $var_accounts_maximum_age_login_defs $i

done <   <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow)
OVAL test results details

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing:tst:1  true

Following items have been found on the system:
PathContent
/etc/shadowbernhard:$6$xx2Cr31XbegkY0Jx$V0Xhl7QjOftSdXq1k1ejZahmx8dhysx2KpX3IF/qHX1lQU2eVDFcAfua9sgvK.DoXs8UGi80YIbT2hFMNp4Ov0:19640:7:60:7:35::

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:tst:1  true

Following items have been found on the system:
PathContent
/etc/shadowbernhard:$6$xx2Cr31XbegkY0Jx$V0Xhl7QjOftSdXq1k1ejZahmx8dhysx2KpX3IF/qHX1lQU2eVDFcAfua9sgvK.DoXs8UGi80YIbT2hFMNp4Ov0:19640:7:60:7:35::

Passwords must have the maximum password age set non-empty in /etc/shadow.  oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_not_empty:tst:1  false

Following items have been found on the system:
PathContent
/etc/shadowroot:$6$I.FmW36kPW.qLFcU$EB6aMvDmjklnyTxbT6gq8uniBa5hZJOqp1feBDeZaO3vJeaRYtoVAah81VD7sZzFd73DUJX1743uaRN3/zjFF.:19640::::::
Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-85710-2

Set Existing Passwords Minimum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_min_life_existing:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85710-2

References:  CCI-000198, IA-5(1).1(v), SRG-OS-000075-GPOS-00043, SLES-15-020210, 5.4.1.3, SV-234890r622137_rule

Description
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: 
$ sudo chage -m 1 USER
Rationale
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
  set_fact:
    var_accounts_minimum_age_login_defs: !!str 7
  tags:
    - always

- name: Collect users with not correct minimum time period between password changes
  command: |
    awk -F':' '(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}' /etc/shadow
  register: user_names
  tags:
  - CCE-85710-2
  - DISA-STIG-SLES-15-020210
  - NIST-800-53-IA-5(1).1(v)
  - accounts_password_set_min_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Change the minimum time period between password changes
  command: |
    passwd -q -n {{ var_accounts_minimum_age_login_defs }} {{ item }}
  with_items: '{{ user_names.stdout_lines }}'
  when: user_names.stdout_lines | length > 0
  tags:
  - CCE-85710-2
  - DISA-STIG-SLES-15-020210
  - NIST-800-53-IA-5(1).1(v)
  - accounts_password_set_min_life_existing
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

var_accounts_minimum_age_login_defs='7'


while IFS= read -r i; do
    
    passwd -q -n $var_accounts_minimum_age_login_defs $i

done <   <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == "")) {print $1}' /etc/shadow)
OVAL test results details

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing:tst:1  true

Following items have been found on the system:
PathContent
/etc/shadowbernhard:$6$xx2Cr31XbegkY0Jx$V0Xhl7QjOftSdXq1k1ejZahmx8dhysx2KpX3IF/qHX1lQU2eVDFcAfua9sgvK.DoXs8UGi80YIbT2hFMNp4Ov0:19640:7:60:7:35::

Compares a specific field in /etc/shadow with a specific variable value  oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:tst:1  true

Following items have been found on the system:
PathContent
/etc/shadowbernhard:$6$xx2Cr31XbegkY0Jx$V0Xhl7QjOftSdXq1k1ejZahmx8dhysx2KpX3IF/qHX1lQU2eVDFcAfua9sgvK.DoXs8UGi80YIbT2hFMNp4Ov0:19640:7:60:7:35::

Passwords must have the maximum password age set non-empty in /etc/shadow.  oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_not_empty:tst:1  false

Following items have been found on the system:
PathContent
/etc/shadowroot:$6$I.FmW36kPW.qLFcU$EB6aMvDmjklnyTxbT6gq8uniBa5hZJOqp1feBDeZaO3vJeaRYtoVAah81VD7sZzFd73DUJX1743uaRN3/zjFF.:19640::::::
Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-91427-5

Direct root Logins Not Allowed

Rule IDxccdf_org.ssgproject.content_rule_no_direct_root_logins
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_direct_root_logins:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91427-5

References:  BP28(R19), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, 8.6.1, 5.5

Description
To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, SUSE Linux Enterprise 15's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: 
$ sudo echo > /etc/securetty
Rationale
Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.
Warnings
warning  This rule only checks the /etc/securetty file existence and its content. If you need to restrict user access using the /etc/securetty file, make sure the pam_securetty.so PAM module is properly enabled in relevant PAM files.
OVAL test results details

no entries in /etc/securetty  oval:ssg-test_no_direct_root_logins:tst:1  true

Following items have been found on the system:
PathContent
/etc/securetty

/etc/securetty file exists  oval:ssg-test_etc_securetty_exists:tst:1  true

Following items have been found on the system:
PathContent
/etc/securetty
Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile mediumCCE-91216-2

Ensure the Default Umask is Set Correctly in /etc/profile

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_profile:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91216-2

References:  BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, 8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, 5.4.5

Description
To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: 
umask 027
Note that /etc/profile also reads scrips within /etc/profile.d directory. These scripts are also valid files to set umask value. Therefore, they should also be considered during the check and properly remediated, if necessary.
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_umask_umask_as_number:var:123

umask value(s) from profile configuration files match the requirement  oval:ssg-tst_accounts_umask_etc_profile:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_etc_profile_umask_as_number:var:123
Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-83269-1

Set Interactive Session Timeout

Rule IDxccdf_org.ssgproject.content_rule_accounts_tmout
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_tmout:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83269-1

References:  BP28(R29), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, 8.6.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, SLES-15-010130, 5.4.4, SV-234813r622137_rule

Description
Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The TMOUT setting in /etc/profile.d/autologout.sh should read as follows: 
TMOUT=900
readonly TMOUT export TMOUT
Rationale
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
OVAL test results details

TMOUT in /etc/profile  oval:ssg-test_etc_profile_tmout:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profile_tmout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/profile^[\s]*TMOUT=([\w$]+)[\s]*readonly TMOUT[\s]*export TMOUT$1

TMOUT in /etc/profile.d/*.sh  oval:ssg-test_etc_profiled_tmout:tst:1  true

Following items have been found on the system:
PathContent
/etc/profile.d/autologout.shTMOUT=900 readonly TMOUT export TMOUT

Check that at least one TMOUT is defined  oval:ssg-test_accounts_tmout_defined:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_count_of_tmout_instances:var:11
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-85629-4

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_home_directories:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85629-4

References:  CCI-000366, SRG-OS-000480-GPOS-00227, SLES-15-040090, 6.2.6, SV-234993r622137_rule

Description
Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: 
$ sudo chmod 0750 /home/USER
Rationale
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
OVAL test results details

All home directories have proper permissions  oval:ssg-test_file_permissions_home_directories:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/bernhard/directory1001100168rwxr-x--- 
/home/azureuser/directory1000100168rwxr-x--- 
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-85693-0

Record Events that Modify the System's Discretionary Access Controls - chmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chmod:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85693-0

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SLES-15-030290, 4.1.9, SV-234928r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-85690-6

Record Events that Modify the System's Discretionary Access Controls - chown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chown:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85690-6

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SLES-15-030250, 4.1.9, SV-234924r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit chown  oval:ssg-test_32bit_ardm_chown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit chown  oval:ssg-test_64bit_ardm_chown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chown  oval:ssg-test_32bit_ardm_chown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit chown  oval:ssg-test_64bit_ardm_chown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-85694-8

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmod:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85694-8

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SLES-15-030290, 4.1.9, SV-234928r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-85695-5

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmodat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85695-5

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SLES-15-030290, 4.1.9, SV-234928r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-85721-9

Record Events that Modify the System's Discretionary Access Controls - fchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchown:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85721-9

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SLES-15-030250, 4.1.9, SV-234924r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-85692-2

Record Events that Modify the System's Discretionary Access Controls - fchownat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchownat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85692-2

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SLES-15-030250, 4.1.9, SV-234924r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-85686-4

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fremovexattr:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85686-4

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(a), AU-12.1(ii), AU-12(c), AU-12.1(iv), AU-3, AU-3.1, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, SLES-15-030190, 4.1.9, SV-234918r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-85688-0

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fsetxattr:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85688-0

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(a), AU-12.1(ii), AU-12(c), AU-12.1(iv), AU-3, AU-3.1, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SLES-15-030190, 4.1.9, SV-234918r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-85691-4

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lchown:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85691-4

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SLES-15-030250, 4.1.9, SV-234924r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-85685-6

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lremovexattr:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85685-6

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SLES-15-030190, 4.1.9, SV-234918r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-85689-8

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lsetxattr:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85689-8

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(a), AU-12.1(ii), AU-12(c), AU-12.1(iv), AU-3, AU-3.1, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SLES-15-030190, 4.1.9, SV-234918r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-85684-9

Record Events that Modify the System's Discretionary Access Controls - removexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_removexattr:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85684-9

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(a), AU-12.1(ii), AU-12(c), AU-12.1(iv), AU-3, AU-3.1, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SLES-15-030190, 4.1.9, SV-234918r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-85687-2

Record Events that Modify the System's Discretionary Access Controls - setxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_setxattr:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85687-2

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SLES-15-030190, 4.1.9, SV-234918r622137_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - umountxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount mediumCCE-85734-2

Record Events that Modify the System's Discretionary Access Controls - umount

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_umount:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85734-2

References:  CCI-000130, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030360, SV-234935r622137_rule

Description
At a minimum, the audit system should collect file system umount changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit umount  oval:ssg-test_32bit_ardm_umount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit umount  oval:ssg-test_32bit_ardm_umount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - umount2xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2 mediumCCE-91250-1

Record Events that Modify the System's Discretionary Access Controls - umount2

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_umount2:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91250-1

References:  BP28(R73), CCI-000130, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030360, SV-234935r622137_rule

Description
At a minimum, the audit system should collect file system umount2 changes. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit umount2  oval:ssg-test_32bit_ardm_umount2_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit umount2  oval:ssg-test_64bit_ardm_umount2_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit umount2  oval:ssg-test_32bit_ardm_umount2_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit umount2  oval:ssg-test_64bit_ardm_umount2_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Any Attempts to Run chaclxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl mediumCCE-85595-7

Record Any Attempts to Run chacl

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_chacl:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85595-7

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SLES-15-030440, SV-234943r622137_rule

Description
At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules chacl  oval:ssg-test_audit_rules_execution_chacl_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chacl  oval:ssg-test_audit_rules_execution_chacl_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run chmodxccdf_org.ssgproject.content_rule_audit_rules_execution_chmod mediumCCE-85593-2

Record Any Attempts to Run chmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_chmod:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85593-2

References:  CCI-000130, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030420, SV-234941r622137_rule

Description
At a minimum, the audit system should collect any execution attempt of the chmod command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules chmod  oval:ssg-test_audit_rules_execution_chmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chmod  oval:ssg-test_audit_rules_execution_chmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run setfaclxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl mediumCCE-85594-0

Record Any Attempts to Run setfacl

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_setfacl:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85594-0

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030430, SV-234942r622137_rule

Description
At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules setfacl  oval:ssg-test_audit_rules_execution_setfacl_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl setfacl  oval:ssg-test_audit_rules_execution_setfacl_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-85716-9

Record Any Attempts to Run chcon

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_chcon:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85716-9

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-3, AU-3.1, AU-12(a), AU-12.1(ii)AU-12.1(iv), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SLES-15-030450, SV-234944r622137_rule

Description
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules chcon  oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chcon  oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record Any Attempts to Run rmxccdf_org.ssgproject.content_rule_audit_rules_execution_rm mediumCCE-85596-5

Record Any Attempts to Run rm

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_rm
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_execution_rm:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85596-5

References:  CCI-000130, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030460, SV-234945r622137_rule

Description
At a minimum, the audit system should collect any execution attempt of the rm command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules rm  oval:ssg-test_audit_rules_execution_rm_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl rm  oval:ssg-test_audit_rules_execution_rm_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-85768-0

Ensure auditd Collects File Deletion Events by User - rename

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rename:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85768-0

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, 4.1.13

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit rename  oval:ssg-test_32bit_ardm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit rename  oval:ssg-test_64bit_ardm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit rename  oval:ssg-test_32bit_ardm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit rename  oval:ssg-test_64bit_ardm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-85769-8

Ensure auditd Collects File Deletion Events by User - renameat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_renameat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85769-8

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, 4.1.13

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-85772-2

Ensure auditd Collects File Deletion Events by User - unlinkat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_unlinkat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85772-2

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, 4.1.13

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-85681-5

Record Unsuccessful Access Attempts to Files - creat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85681-5

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12(c), AU-12.1(iv), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SLES-15-030150, 4.1.10, SV-234914r622137_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-85696-3

Record Unsuccessful Access Attempts to Files - ftruncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85696-3

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SLES-15-030150, 4.1.10, SV-234914r622137_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-85680-7

Record Unsuccessful Access Attempts to Files - open

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85680-7

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), AU-3, AU-3.1, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SLES-15-030150, 4.1.10, SV-234914r622137_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-85683-1

Record Unsuccessful Access Attempts to Files - open_by_handle_at

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85683-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(c), AU-12.1(iv), AU-12(a), AU-12.1(ii), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SLES-15-030150, SV-234914r622137_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-85682-3

Record Unsuccessful Access Attempts to Files - openat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85682-3

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(a), AU-12.1(ii), AU-12(c), AU-12.1(iv), AU-3, AU-3.1, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SLES-15-030150, 4.1.10, SV-234914r622137_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Delete Attempts to Files - renamexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename mediumCCE-85701-1

Record Unsuccessful Delete Attempts to Files - rename

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85701-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(c), AU-12.1(iv), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SLES-15-030740, SV-234973r622137_rule

Description
The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file. 
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
Rationale
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: 
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Delete Attempts to Files - renameatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat mediumCCE-85702-9

Record Unsuccessful Delete Attempts to Files - renameat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85702-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(c), AU-12.1(iv), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SLES-15-030740, SV-234973r622137_rule

Description
The operating system must generate audit records for all uses of the renameat system call. Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate an audit record for all uses of the renameat system call: 
-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod
Rationale
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: 
-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=4294967295 -k perm_mod
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Delete Attempts to Files - renameat2xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat2 mediumCCE-85726-8

Record Unsuccessful Delete Attempts to Files - renameat2

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat2
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_renameat2:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85726-8

References:  CCI-000172, AU-12(c), AU-12.1(iv), SRG-OS-000468-GPOS-00212, SLES-15-030740, SV-234973r622137_rule

Description
The operating system must generate audit records for all uses of the renameat2 system call. Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate an audit record for all uses of the renameat2 system call: 
-a always,exit -F arch=b32 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S renameat2 -F auid>=1000 -F auid!=-1 -k perm_mod
Rationale
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: 
-a always,exit -F arch=b32 -S renameat2 -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S renameat2 -F auid>=1000 -F auid!=4294967295 -k perm_mod
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_renameat2_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_renameat2_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_renameat2_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_renameat2_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_renameat2_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_renameat2_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_renameat2_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S renameat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_renameat2_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S renameat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-85608-8

Record Unsuccessful Access Attempts to Files - truncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85608-8

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SLES-15-030150, 4.1.10, SV-234914r622137_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines: 
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Delete Attempts to Files - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat mediumCCE-85704-5

Record Unsuccessful Delete Attempts to Files - unlinkat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85704-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-12(c), AU-12.1(iv), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SLES-15-030740, SV-234973r622137_rule

Description
The operating system must generate audit records for all uses of the unlinkat system call. Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate an audit record for all uses of the unlinkat system call: 
-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k perm_mod
Rationale
Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example: 
-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=4294967295 -k perm_mod
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-85748-2

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_delete:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85748-2

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SLES-15-030520, 4.1.16, SV-234951r622137_rule

Description
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S delete_module -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S delete_module -F key=modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S delete_module -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S delete_module -F key=modules
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-85749-0

Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_finit:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85749-0

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SLES-15-030530, SV-234952r622137_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
Rationale
The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S finit_module -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S finit_module -F key=modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S finit_module -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S finit_module -F key=modules
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-85750-8

Ensure auditd Collects Information on Kernel Module Loading - init_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_init:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85750-8

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SLES-15-030530, 4.1.16, SV-234952r622137_rule

Description
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b32 -S init_module -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-a always,exit -F arch=b64 -S init_module -F key=modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S init_module -F key=modules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S init_module -F key=modules
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-85587-4

Ensure auditd Collects Information on the Use of Privileged Commands - chage

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chage:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85587-4

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SLES-15-030120, SV-234911r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules chage  oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chage  oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - chfnxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chfn mediumCCE-85589-0

Ensure auditd Collects Information on the Use of Privileged Commands - chfn

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chfn
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chfn:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85589-0

References:  CCI-000130, CCI-000169, CCI-000172, CCI-002884, AU-3, AU-12(a), AU-12(c), MA-4(1)(a), SLES-15-030340, SV-234933r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules chfn  oval:ssg-test_audit_rules_privileged_commands_chfn_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chfn  oval:ssg-test_audit_rules_privileged_commands_chfn_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-85586-6

Ensure auditd Collects Information on the Use of Privileged Commands - chsh

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chsh:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85586-6

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030100, SV-234909r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-85588-2

Ensure auditd Collects Information on the Use of Privileged Commands - crontab

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_crontab:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85588-2

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030130, SV-234912r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-85584-1

Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_gpasswd:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85584-1

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SLES-15-030080, SV-234907r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - insmodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod mediumCCE-85744-1

Ensure auditd Collects Information on the Use of Privileged Commands - insmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_insmod:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85744-1

References:  BP28(R73), CCI-000130, CCI-000169, CCI-000172, CCI-002884, AU-12(c), AU-12.1(iv), AU-3, AU-3.1, AU-12(a), AU-12.1(ii), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030380, 4.1.16, SV-234937r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /sbin/insmod -p x -k modules
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules insmod  oval:ssg-test_insmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-w /sbin/insmod -p x -k modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl insmod  oval:ssg-test_insmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /sbin/insmod -p x -k modules
Ensure auditd Collects Information on the Use of Privileged Commands - kmodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod mediumCCE-85591-6

Ensure auditd Collects Information on the Use of Privileged Commands - kmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_kmod:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85591-6

References:  BP28(R73), CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SLES-15-030410, SV-234940r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /usr/bin/kmod -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-w /usr/bin/kmod -p x -k modules
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules kmod  oval:ssg-test_kmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-w /usr/bin/kmod -p x -k modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl kmod  oval:ssg-test_kmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /usr/bin/kmod -p x -k modules
Ensure auditd Collects Information on the Use of Privileged Commands - modprobexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe mediumCCE-85731-8

Ensure auditd Collects Information on the Use of Privileged Commands - modprobe

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_modprobe:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85731-8

References:  BP28(R73), CCI-000130, CCI-000169, CCI-000172, CCI-002884, AU-12(a), AU-12.1(ii), AU-3, AU-3.1, AU-12(c), AU-12.1(iv), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030400, 4.1.16, SV-234939r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /sbin/modprobe -p x -k modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-w /sbin/modprobe -p x -k modules
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules modprobe  oval:ssg-test_modprobe_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-w /sbin/modprobe -p x -k modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl modprobe  oval:ssg-test_modprobe_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /sbin/modprobe -p x -k modules
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-85585-8

Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_newgrp:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85585-8

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SLES-15-030090, SV-234908r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-85601-3

Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85601-3

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SLES-15-030510, SV-234950r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - passmassxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passmass mediumCCE-85599-9

Ensure auditd Collects Information on the Use of Privileged Commands - passmass

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passmass
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_passmass:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85599-9

References:  CCI-000130, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SLES-15-030490, SV-234948r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules passmass  oval:ssg-test_audit_rules_privileged_commands_passmass_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl passmass  oval:ssg-test_audit_rules_privileged_commands_passmass_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-85583-3

Ensure auditd Collects Information on the Use of Privileged Commands - passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_passwd:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85583-3

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SLES-15-030070, SV-234906r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - rmmodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod mediumCCE-85732-6

Ensure auditd Collects Information on the Use of Privileged Commands - rmmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_rmmod:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85732-6

References:  BP28(R73), CCI-000130, CCI-000169, CCI-000172, CCI-002884, AU-12(c), AU-12.1(iv), AU-3, AU-3.1, AU-12(a), AU-12.1(ii), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030390, 4.1.16, SV-234938r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /sbin/rmmod -p x -k modules
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules rmmod  oval:ssg-test_rmmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/modules.rules-w /sbin/rmmod -p x -k modules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl rmmod  oval:ssg-test_rmmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /sbin/rmmod -p x -k modules
Record Any Attempts to Run ssh-agentxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent mediumCCE-85590-8

Record Any Attempts to Run ssh-agent

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_ssh_agent:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85590-8

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030370, SV-234936r622137_rule

Description
At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules ssh_agent  oval:ssg-test_audit_rules_privileged_commands_ssh_agent_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl ssh_agent  oval:ssg-test_audit_rules_privileged_commands_ssh_agent_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-85582-5

Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85582-5

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SLES-15-030060, SV-234905r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-85602-1

Ensure auditd Collects Information on the Use of Privileged Commands - su

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_su:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85602-1

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SLES-15-030550, SV-234954r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules su  oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl su  oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-85603-9

Ensure auditd Collects Information on the Use of Privileged Commands - sudo

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_sudo:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85603-9

References:  BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, SLES-15-030560, SV-234955r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-85717-7

Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_sudoedit:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85717-7

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030330, SV-234932r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix2_chkpwd mediumCCE-85762-3

Ensure auditd Collects Information on the Use of Privileged Commands - unix2_chkpwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix2_chkpwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_unix2_chkpwd:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85762-3

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000037-GPOS-00015, SLES-15-030110, SV-234910r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules unix2_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix2_chkpwd_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl unix2_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix2_chkpwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-85727-6

Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85727-6

References:  1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, SLES-15-030110, SV-234910r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Ensure auditd Collects Information on the Use of Privileged Commands - usermodxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod mediumCCE-85600-5

Ensure auditd Collects Information on the Use of Privileged Commands - usermod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_privileged_commands_usermod:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85600-5

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SLES-15-030500, SV-234949r622137_rule

Description
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules usermod  oval:ssg-test_audit_rules_privileged_commands_usermod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/privileged.rules-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl usermod  oval:ssg-test_audit_rules_privileged_commands_usermod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-85814-2

Record attempts to alter time through adjtimex

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_adjtimex:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85814-2

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 4.1.3

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit adjtimex  oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F key=audit_time_rules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit adjtimex  oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F key=audit_time_rules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit adjtimex  oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F key=audit_time_rules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit adjtimex  oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F key=audit_time_rules
Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-85816-7

Record Attempts to Alter Time Through clock_settime

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_clock_settime:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85816-7

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit clock_settime  oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/time-change.rules-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit clock_settime  oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/time-change.rules-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit clock_settime  oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit clock_settime  oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-85813-4

Record attempts to alter time through settimeofday

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_settimeofday:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85813-4

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 4.1.3

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit settimeofday  oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F key=audit_time_rules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit settimeofday  oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F key=audit_time_rules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit settimeofday  oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F key=audit_time_rules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit settimeofday  oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F key=audit_time_rules
Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-85815-9

Record Attempts to Alter Time Through stime

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_stime
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_stime:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85815-9

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 4.1.3

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

32 bit architecture  oval:ssg-test_system_info_architecture_x86:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit stime  oval:ssg-test_32bit_art_stime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F key=audit_time_rules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit stime  oval:ssg-test_32bit_art_stime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -F key=audit_time_rules
Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-85812-6

Record Attempts to Alter the localtime File

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_watch_localtime:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85812-6

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 10.6.3, 10.6.3, 4.1.3

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit /etc/localtime watch augenrules  oval:ssg-test_artw_etc_localtime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-w /etc/localtime -p wa -k audit_time_rules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit /etc/localtime watch auditctl  oval:ssg-test_artw_etc_localtime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/localtime -p wa -k audit_time_rules
Remove Default Configuration to Disable Syscall Auditingxccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing mediumCCE-85706-0

Remove Default Configuration to Disable Syscall Auditing

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_enable_syscall_auditing:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85706-0

References:  CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, SLES-15-030820, SV-234981r622137_rule

Description
By default, SUSE Linux Enterprise 15 ships an audit rule to disable syscall auditing for performance reasons. To make sure that syscall auditing works, this line must be removed from /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules: 
-a task,never
Rationale
Audit rules for syscalls do not take effect unless this line is removed.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

check that no audit rule exists in /etc/audit/rules.d/*.rules that disables all syscall auditing  oval:ssg-test_enable_syscall_audit_augenrules:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_enable_syscall_audit_augenrules:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+task,never[\s]*$1

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

check that no audit rule exists in /etc/audit/audit.rules that disables all syscall auditing  oval:ssg-test_enable_syscall_audit_auditctl:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_enable_syscall_audit_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/audit/audit.rules^[\s]*-a[\s]+task,never[\s]*$1
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-85831-6

Make the auditd Configuration Immutable

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_immutable
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_immutable:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85831-6

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, 10.3.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, 4.1.17

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: 
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: 
-e 2
With this setting, a reboot will be required to change any audit rules.
Rationale
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules configuration locked  oval:ssg-test_ari_locked_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/immutable.rules-e 2

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl configuration locked  oval:ssg-test_ari_locked_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-e 2
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification mediumCCE-85830-8

Record Events that Modify the System's Mandatory Access Controls

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_mac_modification
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_mac_modification:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85830-8

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, 4.1.6

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/selinux/ -p wa -k MAC-policy
Rationale
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit selinux changes augenrules  oval:ssg-test_armm_selinux_watch_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/MAC-policy.rules-w /etc/selinux/ -p wa -k MAC-policy

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit selinux changes auditctl  oval:ssg-test_armm_selinux_watch_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/selinux/ -p wa -k MAC-policy
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-85718-5

Ensure auditd Collects Information on Exporting to Media (successful)

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_media_export
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_media_export:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85718-5

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SLES-15-030350, 4.1.12, SV-234934r622137_rule

Description
At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Rationale
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit mount  oval:ssg-test_32bit_ardm_mount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit mount  oval:ssg-test_64bit_ardm_mount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit mount  oval:ssg-test_32bit_ardm_mount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit mount  oval:ssg-test_64bit_ardm_mount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-85828-2

Record Events that Modify the System's Network Environment

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_networkconfig_modification:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85828-2

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, 10.3.4, 4.1.5

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
Rationale
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit /etc/issue augenrules  oval:ssg-test_arnm_etc_issue_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net augenrules  oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts augenrules  oval:ssg-test_arnm_etc_hosts_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network augenrules  oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit /etc/issue auditctl  oval:ssg-test_arnm_etc_issue_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net auditctl  oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts auditctl  oval:ssg-test_arnm_etc_hosts_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network auditctl  oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit augenrules 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64openqa-suse-de-3b72c31b4a85652cLinux5.14.21-150500.55.31-default#1 SMP PREEMPT_DYNAMIC Wed Oct 4 16:52:05 UTC 2023 (5dc23e0)x86_64

audit auditctl 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname -S setdomainname -F key=audit_rules_networkconfig_modification
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-85829-0

Record Attempts to Alter Process and Session Initiation Information

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_session_events
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_session_events:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85829-0

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 0582, 0584, 05885, 0586, 0846, 0957, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, 4.1.8

Description
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Rationale
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules utmp  oval:ssg-test_arse_utmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/run/utmp -p wa -k session

audit augenrules btmp  oval:ssg-test_arse_btmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/log/btmp -p wa -k session

audit augenrules wtmp  oval:ssg-test_arse_wtmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/log/wtmp -p wa -k session

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl utmp  oval:ssg-test_arse_utmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/run/utmp -p wa -k session

audit auditctl btmp  oval:ssg-test_arse_btmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/log/btmp -p wa -k session

audit auditctl wtmp  oval:ssg-test_arse_wtmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/log/wtmp -p wa -k session
Record Attempts to Alter Process and Session Initiation Information btmpxccdf_org.ssgproject.content_rule_audit_rules_session_events_btmp mediumCCE-85758-1

Record Attempts to Alter Process and Session Initiation Information btmp

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_session_events_btmp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_session_events_btmp:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85758-1

References:  CCI-000172, AU-12(c), AU-12.1(iv), SRG-OS-000472-GPOS-00217, SLES-15-030780, SV-234977r622137_rule

Description
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/log/btmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/log/btmp -p wa -k session
Rationale
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules btmp  oval:ssg-test_arle_btmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/log/btmp -p wa -k session

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl btmp  oval:ssg-test_arle_btmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/log/btmp -p wa -k session
Record Attempts to Alter Process and Session Initiation Information utmpxccdf_org.ssgproject.content_rule_audit_rules_session_events_utmp mediumCCE-85714-4

Record Attempts to Alter Process and Session Initiation Information utmp

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_session_events_utmp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_session_events_utmp:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85714-4

References:  CCI-000172, AU-12(c), AU-12.1(iv), SRG-OS-000472-GPOS-00217, SLES-15-030760, SV-234975r622137_rule

Description
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: 
-w /run/utmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: 
-w /run/utmp -p wa -k session
Rationale
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules utmp  oval:ssg-test_arle_utmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /run/utmp -p wa -k session

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl utmp  oval:ssg-test_arle_utmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /run/utmp -p wa -k session
Record Attempts to Alter Process and Session Initiation Information wtmpxccdf_org.ssgproject.content_rule_audit_rules_session_events_wtmp mediumCCE-85757-3

Record Attempts to Alter Process and Session Initiation Information wtmp

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_session_events_wtmp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_session_events_wtmp:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85757-3

References:  CCI-000172, AU-12(c), AU-12.1(iv), SRG-OS-000472-GPOS-00217, SLES-15-030770, SV-234976r622137_rule

Description
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: 
 -w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: 
 -w /var/log/wtmp -p wa -k session
Rationale
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules wtmp  oval:ssg-test_arle_wtmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/log/wtmp -p wa -k session

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl wtmp  oval:ssg-test_arle_wtmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/log/wtmp -p wa -k session
Record Events When Privileged Executables Are Runxccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function mediumCCE-85611-2

Record Events When Privileged Executables Are Run

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_suid_privilege_function:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85611-2

References:  CCI-001814, CCI-001882, CCI-001889, CCI-001880, CCI-001881, CCI-001878, CCI-001879, CCI-001875, CCI-001877, CCI-001914, CCI-002233, CCI-002234, CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9), SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905, SLES-15-030640, SV-234963r622137_rule

Description
Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command: 
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command: 
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Rationale
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules 32-bit uid privileged function  oval:ssg-test_32bit_uid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setuid.rules-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit augenrules 64-bit uid privileged function  oval:ssg-test_64bit_uid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setuid.rules-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit augenrules 32-bit gid privileged function  oval:ssg-test_32bit_gid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setgid.rules-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid

audit augenrules 64-bit gid privileged function  oval:ssg-test_64bit_gid_privileged_function_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/setgid.rules-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit uid privileged function  oval:ssg-test_32bit_uid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit auditctl 64-bit uid privileged_function  oval:ssg-test_64bit_uid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid

audit auditctl 32-bit gid privileged function  oval:ssg-test_32bit_gid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid

audit auditctl 64-bit gid privileged_function  oval:ssg-test_64bit_gid_privileged_function_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-85679-9

Ensure auditd Collects System Administrator Actions

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_sysadmin_actions:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85679-9

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv), MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.2, Req-10.2.5.b, 10.2.1.5, 10.2.2, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305, SLES-15-030140, 4.1.14, 4.1.15, SV-234913r622137_rule

Description
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/actions.rules-w /etc/sudoers -p wa -k actions

audit augenrules sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/actions.rules-w /etc/sudoers.d/ -p wa -k actions

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sudoers -p wa -k actions

audit auditctl sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sudoers.d/ -p wa -k actions
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-85578-3

Record Events that Modify User/Group Information - /etc/group

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_group:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85578-3

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SLES-15-030010, 4.1.4, SV-234900r622137_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules group  oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/group -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit group  oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/group -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-85580-9

Record Events that Modify User/Group Information - /etc/gshadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_gshadow:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85580-9

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SLES-15-030040, 4.1.4, SV-234903r622137_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-85728-4

Record Events that Modify User/Group Information - /etc/security/opasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_opasswd:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85728-4

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4).1(i&ii), AU-12.1(iv), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SLES-15-030030, 4.1.4, SV-234902r622137_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-85577-5

Record Events that Modify User/Group Information - /etc/passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_passwd:def:1
Time2023-10-10T09:45:06+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85577-5

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SLES-15-030000, 4.1.4, SV-234899r622137_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-85579-1

Record Events that Modify User/Group Information - /etc/shadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_shadow:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85579-1

References:  BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, 10.2.1.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SLES-15-030020, 4.1.4, SV-234901r622137_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceRequires=augenrules.service

audit augenrules shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Encrypt Audit Records Sent With audispd Pluginxccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records mediumCCE-85614-6

Encrypt Audit Records Sent With audispd Plugin

Rule IDxccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_audispd_encrypt_sent_records:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85614-6

References:  CCI-001851, AU-9(3), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, SLES-15-030680, SV-234967r622137_rule

Description
Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in 
/etc/audit/audisp-remote.conf
, and set it with the following line: 
enable_krb5 = yes
Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
OVAL test results details

setting in audisp-remote.conf  oval:ssg-test_auditd_audispd_encrypt_sent_records:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audisp-remote.confenable_krb5 = yes
Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action mediumCCE-85606-2

Configure auditd Disk Full Action when Disk Space Is Full

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_disk_full_action:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85606-2

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, SLES-15-030590, SV-234958r622137_rule

Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
OVAL test results details

disk error action  oval:ssg-test_auditd_data_disk_full_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confdisk_full_action = syslog
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-85824-1

Configure auditd admin_space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_admin_space_left_action:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85824-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, 4.1.2.3

Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
OVAL test results details

space left action  oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confadmin_space_left_action = halt
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-85778-9

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file_action:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85778-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000047-GPOS-00023, 4.1.2.2

Description
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: 
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.
Rationale
Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.
OVAL test results details

admin space left action   oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confmax_log_file_action = keep_logs
Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left mediumCCE-85616-1

Configure auditd space_left on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_space_left:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85616-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, SLES-15-030700, SV-234969r622137_rule

Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: 
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
OVAL test results details

admin space left action   oval:ssg-test_auditd_data_retention_space_left:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confspace_left = 100
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-85823-3

Configure auditd space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_space_left_action:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85823-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, 4.1.2.3

Description
The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: 
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
OVAL test results details

space left action  oval:ssg-test_auditd_data_retention_space_left_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confspace_left_action = email
Ensure journald is configured to compress large log filesxccdf_org.ssgproject.content_rule_journald_compress mediumCCE-91377-2

Ensure journald is configured to compress large log files

Rule IDxccdf_org.ssgproject.content_rule_journald_compress
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-journald_compress:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91377-2

References:  4.2.2.2

Description
The journald system can compress large log files to avoid fill the system disk.
Rationale
Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.
OVAL test results details

tests the value of Compress setting in the /etc/systemd/journald.conf file  oval:ssg-test_journald_compress:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/journald.confCompress=yes
Ensure journald is configured to write log files to persistent diskxccdf_org.ssgproject.content_rule_journald_storage mediumCCE-91378-0

Ensure journald is configured to write log files to persistent disk

Rule IDxccdf_org.ssgproject.content_rule_journald_storage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-journald_storage:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91378-0

References:  4.2.2.3

Description
The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will we lost upon reboot.
Rationale
Log files contain valuable data and need to be persistent to aid in possible investigations.
OVAL test results details

tests the value of Storage setting in the /etc/systemd/journald.conf file  oval:ssg-test_journald_storage:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/journald.confStorage=persistent
Disable DCCP Supportxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled mediumCCE-91241-0

Disable DCCP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_dccp_disabled:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91241-0

References:  11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-001958, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, Req-1.4.2, 1.4.2, SRG-OS-000096-GPOS-00050, SRG-OS-000378-GPOS-00163, 3.4.1

Description
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf: 
install dccp /bin/true
Rationale
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module dccp blacklisted  oval:ssg-test_kernmod_dccp_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/dccp.confblacklist dccp

kernel module dccp disabled  oval:ssg-test_kernmod_dccp_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/dccp.confinstall dccp /bin/true

kernel module dccp disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_dccp_modprobeconf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_dccp_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+dccp\s+(/bin/false|/bin/true)$1
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-91242-8

Disable SCTP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_sctp_disabled:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91242-8

References:  11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, Req-1.4.2, 1.4.2, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, 3.4.2

Description
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf: 
install sctp /bin/true
Rationale
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module sctp blacklisted  oval:ssg-test_kernmod_sctp_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/sctp.confblacklist sctp

kernel module sctp disabled  oval:ssg-test_kernmod_sctp_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/sctp.confinstall sctp /bin/true

kernel module sctp disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_sctp_modprobeconf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+sctp\s+(/bin/false|/bin/true)$1
Verify Permissions and Ownership of Old Passwords Filexccdf_org.ssgproject.content_rule_file_etc_security_opasswd mediumCCE-85572-6

Verify Permissions and Ownership of Old Passwords File

Rule IDxccdf_org.ssgproject.content_rule_file_etc_security_opasswd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_etc_security_opasswd:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85572-6

References:  CCI-000200, SRG-OS-000077-GPOS-00045, SLES-15-020240, SV-234893r622137_rule

Description
To properly set the owner of /etc/security/opasswd, run the command: 
$ sudo chown root /etc/security/opasswd
To properly set the group owner of /etc/security/opasswd, run the command: 
$ sudo chgrp root /etc/security/opasswd
To properly set the permissions of /etc/security/opasswd, run the command: 
$ sudo chmod 0600 /etc/security/opasswd
Rationale
The /etc/security/opasswd file stores old passwords to prevent password reuse. Protection of this file is critical for system security.
OVAL test results details

/etc/security/opasswd is owned by root:root / 0600  oval:ssg-test_file_etc_security_opasswd:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/security/opasswdregular00239rw------- 
Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow mediumCCE-85804-3

Verify Permissions on shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_shadow:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85804-3

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.3

Description
To properly set the permissions of /etc/shadow, run the command: 
$ sudo chmod 0640 /etc/shadow
Rationale
The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
OVAL test results details

Testing mode of /etc/shadow  oval:ssg-test_file_permissions_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadowoval:ssg-exclude_symlinks__etc_shadow:ste:1oval:ssg-state_file_permissions_etc_shadow_0_mode_0640or_stricter_:ste:1
Verify that system commands files are group owned by root or a system accountxccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs mediumCCE-85742-5

Verify that system commands files are group owned by root or a system account

Rule IDxccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupownership_system_commands_dirs:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85742-5

References:  CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, SLES-15-010361, SV-234844r622137_rule

Description
System commands files are stored in the following directories by default: 
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command: 
$ sudo chgrp root FILE
Rationale
If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
OVAL test results details

system commands are owned by root or a system account  oval:ssg-test_groupownership_system_commands_dirs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_groupownership_system_commands_dirs:obj:1 of type file_object
PathFilenameFilter
^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin^.*$oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1
Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-92452-2

Disable Mounting of squashfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_squashfs_disabled:def:1
Time2023-10-10T09:45:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-92452-2

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.1

Description
To configure the system to prevent the squashfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf: 
install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the system.
OVAL test results details

kernel module squashfs blacklisted  oval:ssg-test_kernmod_squashfs_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/squashfs.confblacklist squashfs

kernel module squashfs disabled  oval:ssg-test_kernmod_squashfs_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/squashfs.confinstall squashfs /bin/true

kernel module squashfs disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1
Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-92453-0

Disable Mounting of udf

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_udf_disabled:def:1
Time2023-10-10T09:45:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-92453-0

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.2

Description
To configure the system to prevent the udf kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf: 
install udf /bin/true
This effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the system.
OVAL test results details

kernel module udf blacklisted  oval:ssg-test_kernmod_udf_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/udf.confblacklist udf

kernel module udf disabled  oval:ssg-test_kernmod_udf_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/udf.confinstall udf /bin/true

kernel module udf disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_udf_modprobeconf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_udf_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+udf\s+(/bin/false|/bin/true)$1
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-83294-9

Disable Modprobe Loading of USB Storage Driver

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_usb-storage_disabled:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83294-9

References:  1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, SLES-15-010480, 1.1.23, SV-234856r622137_rule

Description
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf: 
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
Rationale
USB storage devices such as thumb drives can be used to introduce malicious software.
OVAL test results details

kernel module usb-storage blacklisted  oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/usb-storage.confblacklist usb-storage

kernel module usb-storage disabled  oval:ssg-test_kernmod_usb-storage_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/usb-storage.confinstall usb-storage /bin/true

kernel module usb-storage disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/modprobe.conf^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1
Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps mediumCCE-85740-9

Disable Core Dumps for All Users

Rule IDxccdf_org.ssgproject.content_rule_disable_users_coredumps
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_users_coredumps:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85740-9

References:  1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, CCI-000366, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, CM-6, SC-7(10), DE.CM-1, PR.DS-4, 3.3.1.1, 3.3.1.2, 3.3.1.3, SRG-OS-000480-GPOS-00227, 1.6.1

Description
To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory: 
*     hard   core    0
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
OVAL test results details

Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)1

Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d_exists:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core1

Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file  oval:ssg-test_core_dumps_limitsconf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/limits.conf* hard core 0
Verify Permissions on cron.dxccdf_org.ssgproject.content_rule_file_permissions_cron_d mediumCCE-91304-6

Verify Permissions on cron.d

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_d:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91304-6

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.7

Description
To properly set the permissions of /etc/cron.d, run the command: 
$ sudo chmod 0700 /etc/cron.d
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.d/  oval:ssg-test_file_permissions_cron_d_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_d_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dno valueoval:ssg-exclude_symlinks__cron_d:ste:1oval:ssg-state_file_permissions_cron_d_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.dailyxccdf_org.ssgproject.content_rule_file_permissions_cron_daily mediumCCE-91301-2

Verify Permissions on cron.daily

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_daily
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_daily:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91301-2

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.4

Description
To properly set the permissions of /etc/cron.daily, run the command: 
$ sudo chmod 0700 /etc/cron.daily
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.daily/  oval:ssg-test_file_permissions_cron_daily_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_daily_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dailyno valueoval:ssg-exclude_symlinks__cron_daily:ste:1oval:ssg-state_file_permissions_cron_daily_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.hourlyxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly mediumCCE-91300-4

Verify Permissions on cron.hourly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_hourly:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91300-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.3

Description
To properly set the permissions of /etc/cron.hourly, run the command: 
$ sudo chmod 0700 /etc/cron.hourly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.hourly/  oval:ssg-test_file_permissions_cron_hourly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_hourly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.hourlyno valueoval:ssg-exclude_symlinks__cron_hourly:ste:1oval:ssg-state_file_permissions_cron_hourly_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.monthlyxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly mediumCCE-91303-8

Verify Permissions on cron.monthly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_monthly:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91303-8

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.6

Description
To properly set the permissions of /etc/cron.monthly, run the command: 
$ sudo chmod 0700 /etc/cron.monthly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.monthly/  oval:ssg-test_file_permissions_cron_monthly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_monthly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.monthlyno valueoval:ssg-exclude_symlinks__cron_monthly:ste:1oval:ssg-state_file_permissions_cron_monthly_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.weeklyxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly mediumCCE-91302-0

Verify Permissions on cron.weekly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_weekly:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91302-0

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.1.5

Description
To properly set the permissions of /etc/cron.weekly, run the command: 
$ sudo chmod 0700 /etc/cron.weekly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.weekly/  oval:ssg-test_file_permissions_cron_weekly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_weekly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.weeklyno valueoval:ssg-exclude_symlinks__cron_weekly:ste:1oval:ssg-state_file_permissions_cron_weekly_0_mode_0700or_stricter_:ste:1
Ensure that chronyd is running under chrony user accountxccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user mediumCCE-91360-8

Ensure that chronyd is running under chrony user account

Rule IDxccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_run_as_chrony_user:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91360-8

References:  2.2.1.3

Description
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, add or edit the OPTIONS variable in /etc/sysconfig/chronyd to include -u chrony: 
OPTIONS="-u chrony"
This recommendation only applies if chrony is in use on the system.
Rationale
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
OVAL test results details

tests the value of OPTIONS setting in the /etc/sysconfig/chronyd file  oval:ssg-test_chronyd_run_as_chrony_user:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysconfig/chronydOPTIONS=" -u chrony"

The configuration file /etc/sysconfig/chronyd exists for chronyd_run_as_chrony_user  oval:ssg-test_chronyd_run_as_chrony_user_config_file_exists:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/sysconfig/chronydregular00195rw-r--r-- 
Set SSH Client Alive Count Max to zeroxccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 mediumCCE-83284-0

Set SSH Client Alive Count Max to zero

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_keepalive_0:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83284-0

References:  1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SLES-15-010320, SV-234830r622137_rule

Description
The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. To ensure the SSH timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0 in /etc/ssh/sshd_config:
Rationale
This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_keepalive_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configClientAliveCountMax 0

Verify that the value of ClientAliveCountMax is present  oval:ssg-test_ClientAliveCountMax_present_sshd_set_keepalive_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configClientAliveCountMax 0
Set SSH Client Alive Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-83281-6

Set SSH Client Alive Interval

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_idle_timeout:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83281-6

References:  BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SLES-15-010280, 5.2.16, SV-234827r622137_rule

Description
SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out.

To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 
ClientAliveInterval 600


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Rationale
Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
Warnings
warning  SSH disconnecting unresponsive clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.
warning  Following conditions may prevent the SSH session to time out:
  • Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
  • Any scp or sftp activity by the same user to the host resets the timeout.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

timeout is configured  oval:ssg-test_sshd_idle_timeout:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configClientAliveInterval 600

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Check the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_keepalive_clientalivecountmax:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configClientAliveCountMax 0
Disable SSH TCP Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding mediumCCE-91334-3

Disable SSH TCP Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_tcp_forwarding:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91334-3

References:  2.2.6, 5.2.20

Description
The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted. To disable TCP forwarding, add or correct the following line in /etc/ssh/sshd_config: 
AllowTcpForwarding no
Rationale
Leaving port forwarding enabled can expose the organization to security risks and back-doors.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Disable SSH TCP Forwarding
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*AllowTcpForwarding\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*AllowTcpForwarding\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*AllowTcpForwarding\s+
      line: AllowTcpForwarding no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91334-3
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_tcp_forwarding

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
    printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

tests the value of AllowTcpForwarding setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_tcp_forwarding:tst:1  false

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configAllowTcpForwarding yes

Verify that the value of AllowTcpForwarding is present  oval:ssg-test_AllowTcpForwarding_present_sshd_disable_tcp_forwarding:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configAllowTcpForwarding yes
Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-85642-7

Disable SSH Support for User Known Hosts

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_user_known_hosts:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85642-7

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00227, SLES-15-040230, SV-235007r622137_rule

Description
SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 
IgnoreUserKnownHosts yes
Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_user_known_hosts:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configIgnoreUserKnownHosts yes

Verify that the value of IgnoreUserKnownHosts is present  oval:ssg-test_IgnoreUserKnownHosts_present_sshd_disable_user_known_hosts:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configIgnoreUserKnownHosts yes
Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-85707-8

Disable X11 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_x11_forwarding:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85707-8

References:  CCI-000366, CM-6.1(iv), 2.2.4, SRG-OS-000480-GPOS-00227, SLES-15-040290, 5.2.6, SV-235013r622137_rule

Description
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: 
X11Forwarding no
Rationale
Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_x11_forwarding:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configX11Forwarding no

Verify that the value of X11Forwarding is present  oval:ssg-test_X11Forwarding_present_sshd_disable_x11_forwarding:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configX11Forwarding no
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-83263-4

Enable SSH Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_warning_banner:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83263-4

References:  1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, Req-2.2.4, 2.2.6, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, SLES-15-010040, 5.2.18, SV-234805r622137_rule

Description
To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: 
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
Rationale
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

tests the value of Banner setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_warning_banner:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configBanner /etc/issue

Verify that the value of Banner is present  oval:ssg-test_Banner_present_sshd_enable_warning_banner:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configBanner /etc/issue
Set SSH Daemon LogLevel to VERBOSExccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose mediumCCE-83270-9

Set SSH Daemon LogLevel to VERBOSE

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_loglevel_verbose:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83270-9

References:  CCI-000067, CIP-007-3 R7.1, AC-17(a), AC-17(1), CM-6(a), Req-2.2.4, 2.2.6, SRG-OS-000032-GPOS-00013, SLES-15-010150, 5.2.5, SV-234815r622137_rule

Description
The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config: 
LogLevel VERBOSE
Rationale
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

tests the value of LogLevel setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_loglevel_verbose:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configLogLevel VERBOSE

Verify that the value of LogLevel is present  oval:ssg-test_LogLevel_present_sshd_set_loglevel_verbose:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configLogLevel VERBOSE
Set SSH authentication attempt limitxccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries mediumCCE-91332-7

Set SSH authentication attempt limit

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_max_auth_tries:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91332-7

References:  0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, 2.2.6, 5.2.7

Description
The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows: 
MaxAuthTries 4
Rationale
Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

maxauthtries is configured  oval:ssg-test_sshd_max_auth_tries:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxAuthTries 4
Set SSH MaxSessions limitxccdf_org.ssgproject.content_rule_sshd_set_max_sessions mediumCCE-91309-5

Set SSH MaxSessions limit

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_max_sessions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_max_sessions:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91309-5

References:  2.2.6, 5.2.22

Description
The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit /etc/ssh/sshd_config as follows: 
MaxSessions 10
Rationale
To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

maxsessions is configured  oval:ssg-test_sshd_max_sessions:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxSessions 10
Ensure SSH MaxStartups is configuredxccdf_org.ssgproject.content_rule_sshd_set_maxstartups mediumCCE-91308-7

Ensure SSH MaxStartups is configured

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_maxstartups
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_maxstartups:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91308-7

References:  2.2.6, 5.2.21

Description
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. To confgure MaxStartups, you should add or correct the following line in the /etc/ssh/sshd_config file: 
MaxStartups 10:30:100
CIS recommends a MaxStartups value of '10:30:60', or more restrictive where dictated by site policy.
Rationale
To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

SSH MaxStartups start parameter is less than or equal to 10  oval:ssg-tst_maxstartups_start_parameter:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxStartups 10:30:100

SSH MaxStartups rate parameter is greater than or equal to 30  oval:ssg-tst_maxstartups_rate_parameter:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxStartups 10:30:100

SSH MaxStartups full parameter is less than or equal to 100  oval:ssg-tst_maxstartups_full_parameter:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxStartups 10:30:100
Use Only FIPS 140-2 Validated Ciphersxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers mediumCCE-91337-6

Use Only FIPS 140-2 Validated Ciphers

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_use_approved_ciphers:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91337-6

References:  1, 11, 12, 14, 15, 16, 18, 3, 5, 6, 8, 9, 5.5.6, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, MEA02.01, 3.1.13, 3.13.11, 3.13.8, CCI-000068, CCI-000366, CCI-000803, CCI-000877, CCI-002890, CCI-003123, 164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-17(a), AC-17(2), SC-13, MA-4(6), IA-5(1)(c), SC-12(2), SC-12(3), PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-1, PR.PT-3, PR.PT-4, 2.2.7, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SLES-15-010160, 5.2.13, SV-234816r744125_rule

Description
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers: 
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers. The rule is parametrized to use the following ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se.
Rationale
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 15.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

tests the value of Ciphers setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_use_approved_ciphers:tst:1  true

Following items have been found on the system:
Var refValueValueValue
oval:ssg-var_sshd_config_ciphers:var:1aes256-ctraes192-ctraes128-ctr
Use Only FIPS 140-2 Validated Ciphersxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig mediumCCE-83271-7

Use Only FIPS 140-2 Validated Ciphers

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_use_approved_ciphers_ordered_stig:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83271-7

References:  CCI-000068, CCI-000366, CCI-000803, CCI-000877, CCI-002890, CCI-003123, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SLES-15-010160, SV-234816r744125_rule

Description
Limit the ciphers to those algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers: 
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
This rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.
Rationale
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on SUSE Linux Enterprise 15.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

tests the value of Ciphers setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_use_approved_ciphers_ordered_stig:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configCiphers aes256-ctr,aes192-ctr,aes128-ctr # Per CCE-91338-4: Set MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com in /etc/ssh/sshd_config
Use Only FIPS 140-2 Validated MACsxccdf_org.ssgproject.content_rule_sshd_use_approved_macs mediumCCE-91338-4

Use Only FIPS 140-2 Validated MACs

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_approved_macs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_use_approved_macs:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91338-4

References:  1, 12, 13, 15, 16, 5, 8, APO01.06, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.03, 3.1.13, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-000877, CCI-001453, CCI-003123, 164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 4.3.3.5.1, 4.3.3.6.6, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-17(a), AC-17(2), SC-13, MA-4(6), SC-12(2), SC-12(3), PR.AC-1, PR.AC-3, PR.DS-5, PR.PT-4, 2.2.7, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000394-GPOS-00174, SLES-15-010270, 5.2.14, SV-234826r744126_rule

Description
Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: 
MACs hmac-sha2-512,hmac-sha2-256
The man page sshd_config(5) contains a list of supported MACs. The rule is parametrized to use the following MACs: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com.
Rationale
DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is removed  oval:ssg-test_package_openssh_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh is installed  oval:ssg-test_package_openssh_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
opensshx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-0:8.4p1-150300.3.22.1.x86_64

tests the value of MACs setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_use_approved_macs:tst:1  true

Following items have been found on the system:
Var refValueValue
oval:ssg-var_sshd_config_macs:var:1hmac-sha2-512hmac-sha2-256
Use Only FIPS 140-2 Validated MACsxccdf_org.ssgproject.content_rule_sshd_use_approved_macs_ordered_stig mediumCCE-83280-8

Use Only FIPS 140-2 Validated MACs

Rule IDxccdf_org.ssgproject.content_rule_sshd_use_approved_macs_ordered_stig
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_use_approved_macs_ordered_stig:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83280-8

References:  CCI-000068, CCI-000803, CCI-000877, CCI-001453, CCI-003123, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000394-GPOS-00174, SLES-15-010270, SV-234826r744126_rule

Description
Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: 
MACs hmac-sha2-512,hmac-sha2-256
This rule ensures that there are configured MACs mentioned above (or their subset), keeping the given order of algorithms.
Rationale
DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel7_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-client is version 7  oval:ssg-test_rhel7_client:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name
redhat-release-client

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-workstation is version 7  oval:ssg-test_rhel7_workstation:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name
redhat-release-workstation

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-server is version 7  oval:ssg-test_rhel7_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name
redhat-release-server

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-computenode is version 7  oval:ssg-test_rhel7_computenode:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name
redhat-release-computenode

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 7  oval:ssg-test_rhevh_rhel7_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_rhel8_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release is version 8  oval:ssg-test_rhel8:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
Name
redhat-release

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

redhat-release-virtualization-host RPM package is installed  oval:ssg-test_rhvh4_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name
redhat-release-virtualization-host

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

RHEVH base RHEL is version 8  oval:ssg-test_rhevh_rhel8_version:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/redhat-release^Red Hat Enterprise Linux release (\d)\.\d+$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

os-release is rhcos  oval:ssg-test_rhcos:tst:1  false

Following items have been found on the system:
PathContent
/etc/os-releaseID="sles"

os-release is rhcos  oval:ssg-test_rhcos:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^ID="(\w+)"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

rhcoreos is version 4  oval:ssg-test_rhcos4:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/os-release^VERSION_ID="(\d)\.\d+"$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

oraclelinux-release is version 7  oval:ssg-test_ol7_system:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name
oraclelinux-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle12_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 6  oval:ssg-test_sle12_desktop:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 6  oval:ssg-test_sle12_server:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name
sles-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 12  oval:ssg-test_sles_12_for_sap:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

installed OS part of unix family  oval:ssg-test_sle15_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sled-release is version 15  oval:ssg-test_sle15_desktop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name
sled-release

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

sles-release is version 15  oval:ssg-test_sle15_server:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sles-releasex86_64(none)150500.43.415.50:15.5-150500.43.470af9e8139db7c82sles-release-0:15.5-150500.43.4.x86_64

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SLES_SAP-release is version 15  oval:ssg-test_sles_15_for_sap:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
Name
SLES_SAP-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SUMA is version 4  oval:ssg-test_suma_4:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
Name
SUSE-Manager-Server-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

SLE HPC release is version 15  oval:ssg-test_sle_hpc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
Name
SLE_HPC-release

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Check Ubuntu version  oval:ssg-test_ubuntu_xenial:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=xenial$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Check Ubuntu version  oval:ssg-test_ubuntu_bionic:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=bionic$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  true

Following items have been found on the system:
Family
unix

Test installed OS is part of the unix family  oval:ssg-test_unix_family:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

/etc/lsb-release exists  oval:ssg-test_lsb:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type file_object
Filepath
/etc/lsb-release

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu  oval:ssg-test_ubuntu:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_ID=Ubuntu$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Check Ubuntu version  oval:ssg-test_ubuntu_focal:tst:1  not evaluated

No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/lsb-release^DISTRIB_CODENAME=focal$1

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)150300.3.22.18.4p10:8.4p1-150300.3.22.170af9e8139db7c82openssh-server-0:8.4p1-150300.3.22.1.x86_64

tests the value of MACs setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_use_approved_macs_ordered_stig:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMACs hmac-sha2-512,hmac-sha2-256
Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config mediumCCE-91306-1

Verify Permissions on SSH Server config file

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_config
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_config:def:1
Time2023-10-10T09:45:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-91306-1

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 2.2.6, SRG-OS-000480-GPOS-00227, 5.2.1

Description
To properly set the permissions of /etc/ssh/sshd_config, run the command: 
$ sudo chmod 0600 /etc/ssh/sshd_config
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/ssh/sshd_config  oval:ssg-test_file_permissions_sshd_config_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type file_object
FilepathFilterFilter
/etc/ssh/sshd_configoval:ssg-exclude_symlinks__sshd_config:ste:1oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1
Scroll back to the first rule
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.