mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-23 14:45:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge whitespace changes

Browse source
This commit is contained in:
Liz Rice 2020-12-22 12:18:25 +00:00
parent b494df8909
commit 9fc95ff756
1 changed files with 8887 additions and 8939 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

248
cfg/2.0.0/definitions.yaml
View file

@ -5,7 +5,7 @@ id: 1
description: "Initial Setup" description: "Initial Setup"
type: "master" type: "master"
groups: groups:
- id: 1.1 - id: 1.1
description: "Filesystem Configuration" description: "Filesystem Configuration"
checks: checks:
- id: 1.1.1 - id: 1.1.1
@ -372,7 +372,6 @@ groups:
# mount -o remount,nodev /tmp # mount -o remount,nodev /tmp
scored: true scored: true
- id: 1.1.4 - id: 1.1.4
description: "Ensure nosuid option set on /tmp partition" description: "Ensure nosuid option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid" audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid"
@ -396,7 +395,6 @@ groups:
# mount -o remount,nosuid /tmp # mount -o remount,nosuid /tmp
scored: true scored: true
- id: 1.1.5 - id: 1.1.5
description: "Ensure noexec option set on /tmp partition" description: "Ensure noexec option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec" audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec"
@ -455,7 +453,6 @@ groups:
scored: true scored: true
- id: 1.1.9 - id: 1.1.9
description: "Ensure nosuid option set on /var/tmp partition" description: "Ensure nosuid option set on /var/tmp partition"
audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid" audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid"
@ -559,7 +556,6 @@ groups:
scored: true scored: true
- id: 1.1.16 - id: 1.1.16
description: "Ensure nosuid option set on /dev/shm partition" description: "Ensure nosuid option set on /dev/shm partition"
audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid" audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid"
@ -737,7 +733,7 @@ groups:
Run the following command to unload the usb-storage module: Run the following command to unload the usb-storage module:
# rmmod usb-storage # rmmod usb-storage
scored: true scored: true
- id: 1.2 - id: 1.2
description: "Configure Software Updates" description: "Configure Software Updates"
checks: checks:
- id: 1.2.1 - id: 1.2.1
@ -798,7 +794,7 @@ groups:
remediation: | remediation: |
Update your package manager GPG keys in accordance with site policy. Update your package manager GPG keys in accordance with site policy.
scored: false scored: false
- id: 1.3 - id: 1.3
description: "Filesystem Integrity Checking" description: "Filesystem Integrity Checking"
checks: checks:
- id: 1.3.1 - id: 1.3.1
@ -907,7 +903,7 @@ groups:
scored: true scored: true
- id: 1.4 - id: 1.4
description: "Secure Boot Settings" description: "Secure Boot Settings"
checks: checks:
- id: 1.4.1 - id: 1.4.1
@ -1032,7 +1028,7 @@ groups:
description: "Ensure interactive boot is not enabled" description: "Ensure interactive boot is not enabled"
sub_checks: sub_checks:
- check: - check:
audit: "grep \"^PROMPT_FOR_CONFIRM=\" /etc/sysconfig/boot" audit: 'grep "^PROMPT_FOR_CONFIRM=" /etc/sysconfig/boot'
constraints: constraints:
boot: boot:
- grub - grub
@ -1040,7 +1036,7 @@ groups:
- rhel7 - rhel7
tests: tests:
test_items: test_items:
- flag: "PROMPT_FOR_CONFIRM=\"no\"" - flag: 'PROMPT_FOR_CONFIRM="no"'
set: true set: true
remediation: | remediation: |
If interactive boot is available disable it. If interactive boot is available disable it.
@ -1062,8 +1058,7 @@ groups:
If interactive boot is available disable it. If interactive boot is available disable it.
scored: false scored: false
- id: 1.5
- id: 1.5
description: "Additional Process Hardening" description: "Additional Process Hardening"
checks: checks:
- id: 1.5.1.a - id: 1.5.1.a
@ -1316,10 +1311,10 @@ groups:
zypper remove prelink zypper remove prelink
scored: true scored: true
- id: 1.6 - id: 1.6
description: "Mandatory Access Control" description: "Mandatory Access Control"
checks: checks:
- id: 1.6.1 - id: 1.6.1
description: "Ensure Mandatory Access Control Software is Installed" description: "Ensure Mandatory Access Control Software is Installed"
checks: checks:
- id: 1.6.1.1 - id: 1.6.1.1
@ -1428,7 +1423,7 @@ groups:
# zypper install libselinux # zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired. The previous commands install SELinux, use the appropriate package if AppArmor is desired.
- id: 1.6.2 - id: 1.6.2
description: "Configure SELinux" description: "Configure SELinux"
checks: checks:
- id: 1.6.2.1 - id: 1.6.2.1
@ -1587,7 +1582,6 @@ groups:
SELINUXTYPE=targeted SELINUXTYPE=targeted
scored: true scored: true
- id: 1.6.2.4 - id: 1.6.2.4
description: "Ensure SETroubleshoot is not installed" description: "Ensure SETroubleshoot is not installed"
sub_checks: sub_checks:
@ -1718,7 +1712,7 @@ groups:
scored: true scored: true
- id: 1.6.2.6 - id: 1.6.2.6
description: "Ensure no unconfined daemons exist" description: "Ensure no unconfined daemons exist"
audit: "ps -eZ | egrep \"initrc\" | grep -E -v -w \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'" audit: 'ps -eZ | egrep "initrc" | grep -E -v -w "tr|ps|egrep|bash|awk " | tr '':'' '' '' | awk ''{ print $NF }'''
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -1729,7 +1723,7 @@ groups:
remediation: | remediation: |
Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. Investigate any unconfined daemons found during the audit action. They may need to have an existing security context assigned to them or a policy built for them.
scored: true scored: true
- id: 1.6.3 - id: 1.6.3
description: "Configure AppArmor" description: "Configure AppArmor"
checks: checks:
- id: 1.6.3.1 - id: 1.6.3.1
@ -1802,11 +1796,10 @@ groups:
Any unconfined processes may need to have a profile created or activated for them and then be restarted. Any unconfined processes may need to have a profile created or activated for them and then be restarted.
scored: true scored: true
- id: 1.7
- id: 1.7
description: "Warning Banners" description: "Warning Banners"
checks: checks:
- id: 1.7.1 - id: 1.7.1
description: "Command Line Warning Banners" description: "Command Line Warning Banners"
checks: checks:
- id: 1.7.1.1.a - id: 1.7.1.1.a
@ -1895,7 +1888,6 @@ groups:
# chmod 644 /etc/motd # chmod 644 /etc/motd
scored: true scored: true
- id: 1.7.1.5 - id: 1.7.1.5
description: "Ensure permissions on /etc/issue are configured" description: "Ensure permissions on /etc/issue are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue"
@ -1940,7 +1932,7 @@ groups:
banner-message-text='Authorized uses only. All activity may be monitored and reported.' banner-message-text='Authorized uses only. All activity may be monitored and reported.'
scored: true scored: true
- id: 1.8 - id: 1.8
description: "Ensure updates, patches, and additional security software are installed" description: "Ensure updates, patches, and additional security software are installed"
sub_checks: sub_checks:
- check: - check:
@ -1970,14 +1962,14 @@ groups:
Use your package manager to update all packages on the system according to site policy. Use your package manager to update all packages on the system according to site policy.
scored: false scored: false
- id: 2 - id: 2
description: "Services" description: "Services"
- id: 2.1 - id: 2.1
description: "inetd Services" description: "inetd Services"
checks: checks:
- id: 2.1.1.a - id: 2.1.1.a
description: "Ensure chargen services are not enabled" description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/inetd.*" audit: 'grep -R "^chargen" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -1992,7 +1984,7 @@ groups:
- id: 2.1.1.b - id: 2.1.1.b
description: "Ensure chargen services are not enabled" description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/xinetd.conf /etc/xinetd.* " audit: 'grep -R "^chargen" /etc/xinetd.conf /etc/xinetd.* '
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2007,7 +1999,7 @@ groups:
- id: 2.1.2.a - id: 2.1.2.a
description: "Ensure daytime services are not enabled" description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/inetd.*" audit: 'grep -R "^daytime" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2022,7 +2014,7 @@ groups:
- id: 2.1.2.b - id: 2.1.2.b
description: "Ensure daytime services are not enabled" description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^daytime" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2037,7 +2029,7 @@ groups:
- id: 2.1.3.a - id: 2.1.3.a
description: "Ensure discard services are not enabled" description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/inetd.*" audit: 'grep -R "^discard" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2052,7 +2044,7 @@ groups:
- id: 2.1.3.b - id: 2.1.3.b
description: "Ensure discard services are not enabled" description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^discard" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2067,7 +2059,7 @@ groups:
- id: 2.1.4.a - id: 2.1.4.a
description: "Ensure echo services are not enabled" description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/inetd.*" audit: 'grep -R "^echo" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2082,7 +2074,7 @@ groups:
- id: 2.1.4.b - id: 2.1.4.b
description: "Ensure echo services are not enabled" description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^echo" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2097,7 +2089,7 @@ groups:
- id: 2.1.5.a - id: 2.1.5.a
description: "Ensure time services are not enabled" description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/inetd.*" audit: 'grep -R "^time" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2112,7 +2104,7 @@ groups:
- id: 2.1.5.b - id: 2.1.5.b
description: "Ensure time services are not enabled" description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^time" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2127,7 +2119,7 @@ groups:
- id: 2.1.6.a - id: 2.1.6.a
description: "Ensure rsh server is not enabled" description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/inetd.*; grep -R \"^login\" /etc/inetd.*; grep -R \"^exec\" /etc/inetd.*" audit: 'grep -R "^shell" /etc/inetd.*; grep -R "^login" /etc/inetd.*; grep -R "^exec" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2142,7 +2134,7 @@ groups:
- id: 2.1.6.b - id: 2.1.6.b
description: "Ensure rsh server is not enabled" description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/xinetd.*; grep -R \"^login\" /etc/xinetd.*; grep -R \"^exec\" /etc/xinetd.*" audit: 'grep -R "^shell" /etc/xinetd.*; grep -R "^login" /etc/xinetd.*; grep -R "^exec" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2157,7 +2149,7 @@ groups:
- id: 2.1.7.a - id: 2.1.7.a
description: "Ensure talk server is not enabled" description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/inetd.*; grep -R \"^ntalk\" /etc/inetd.*" audit: 'grep -R "^talk" /etc/inetd.*; grep -R "^ntalk" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2172,7 +2164,7 @@ groups:
- id: 2.1.7.b - id: 2.1.7.b
description: "Ensure talk server is not enabled" description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/xinetd.*; grep -R \"^ntalk\" /etc/xinetd.*" audit: 'grep -R "^talk" /etc/xinetd.*; grep -R "^ntalk" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2187,7 +2179,7 @@ groups:
- id: 2.1.8.a - id: 2.1.8.a
description: "Ensure telnet server is not enabled" description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/inetd.*" audit: 'grep -R "^telnet" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2202,7 +2194,7 @@ groups:
- id: 2.1.8.b - id: 2.1.8.b
description: "Ensure telnet server is not enabled" description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/xinetd.*" audit: 'grep -R "^telnet" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2217,7 +2209,7 @@ groups:
- id: 2.1.9.a - id: 2.1.9.a
description: "Ensure tftp server is not enabled" description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/inetd.*" audit: 'grep -R "^tftp" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2232,7 +2224,7 @@ groups:
- id: 2.1.9.b - id: 2.1.9.b
description: "Ensure tftp server is not enabled" description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/xinetd.*" audit: 'grep -R "^tftp" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2310,10 +2302,10 @@ groups:
# update-rc.d xinetd disable # update-rc.d xinetd disable
scored: true scored: true
- id: 2.2 - id: 2.2
description: "Special Purpose Services" description: "Special Purpose Services"
checks: checks:
- id: 2.2.1 - id: 2.2.1
description: "Time Synchronization" description: "Time Synchronization"
checks: checks:
- id: 2.2.1.1.a - id: 2.2.1.1.a
@ -2484,7 +2476,7 @@ groups:
- id: 2.2.1.2.b - id: 2.2.1.2.b
description: "Ensure ntp is configured" description: "Ensure ntp is configured"
audit: "grep -E \"^(server|pool)\" /etc/ntp.conf" audit: 'grep -E "^(server|pool)" /etc/ntp.conf'
type: manual type: manual
tests: tests:
test_items: test_items:
@ -2525,7 +2517,7 @@ groups:
- rhel7 - rhel7
tests: tests:
test_items: test_items:
- flag: "OPTIONS=\"-u ntp:ntp\"" - flag: 'OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2557,7 +2549,7 @@ groups:
- ubuntu18 - ubuntu18
tests: tests:
test_items: test_items:
- flag: "OPTIONS=\"-u ntp:ntp\"" - flag: 'OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2593,7 +2585,7 @@ groups:
- rhel7 - rhel7
tests: tests:
test_items: test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" - flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2625,7 +2617,7 @@ groups:
- ubuntu18 - ubuntu18
tests: tests:
test_items: test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" - flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2688,7 +2680,7 @@ groups:
- id: 2.2.1.3.a - id: 2.2.1.3.a
description: "Ensure chrony is configured" description: "Ensure chrony is configured"
audit: "grep -E \"^(server|pool)\" /etc/chrony.conf" audit: 'grep -E "^(server|pool)" /etc/chrony.conf'
type: manual type: manual
tests: tests:
test_items: test_items:
@ -2748,7 +2740,6 @@ groups:
# timedatectl set-ntp true # timedatectl set-ntp true
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
description: "Ensure X Window System is not installed" description: "Ensure X Window System is not installed"
sub_checks: sub_checks:
@ -3804,7 +3795,7 @@ groups:
# update-rc.d ypserv disable # update-rc.d ypserv disable
scored: true scored: true
- id: 2.3 - id: 2.3
description: "Service Clients" description: "Service Clients"
checks: checks:
- id: 2.3.1 - id: 2.3.1
@ -4120,9 +4111,9 @@ groups:
# zypper remove openldap-clients # zypper remove openldap-clients
scored: true scored: true
- id: 3 - id: 3
description: "Network Configuration" description: "Network Configuration"
- id: 3.1 - id: 3.1
description: "Network Parameters (Host Only)etwork Parameters (Host Only)" description: "Network Parameters (Host Only)etwork Parameters (Host Only)"
checks: checks:
- id: 3.1.1.a - id: 3.1.1.a
@ -4318,7 +4309,7 @@ groups:
scored: true scored: true
- id: 3.2 - id: 3.2
description: "Network Parameters (Host and Router)" description: "Network Parameters (Host and Router)"
checks: checks:
- id: 3.2.1.a - id: 3.2.1.a
@ -4785,7 +4776,6 @@ groups:
scored: true scored: true
- id: 3.2.3.a - id: 3.2.3.a
description: "Ensure secure ICMP redirects are not accepted" description: "Ensure secure ICMP redirects are not accepted"
audit: "sysctl net.ipv4.conf.all.secure_redirects" audit: "sysctl net.ipv4.conf.all.secure_redirects"
@ -5302,7 +5292,7 @@ groups:
scored: true scored: true
- id: 3.3 - id: 3.3
description: "TCP Wrappers" description: "TCP Wrappers"
checks: checks:
- id: 3.3.1 - id: 3.3.1
@ -5385,7 +5375,6 @@ groups:
where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system. where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.
scored: false scored: false
- id: 3.3.3 - id: 3.3.3
description: "Ensure /etc/hosts.deny is configured" description: "Ensure /etc/hosts.deny is configured"
audit: "cat /etc/hosts.deny" audit: "cat /etc/hosts.deny"
@ -5400,7 +5389,6 @@ groups:
scored: false scored: false
- id: 3.3.4 - id: 3.3.4
description: "Ensure permissions on /etc/hosts.allow are configured" description: "Ensure permissions on /etc/hosts.allow are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow"
@ -5416,7 +5404,6 @@ groups:
scored: true scored: true
- id: 3.3.5 - id: 3.3.5
description: "Ensure permissions on /etc/hosts.deny are configured" description: "Ensure permissions on /etc/hosts.deny are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny"
@ -5432,8 +5419,7 @@ groups:
scored: true scored: true
- id: 3.4
- id: 3.4
description: "Uncommon Network Protocols" description: "Uncommon Network Protocols"
checks: checks:
- id: 3.4.1.a - id: 3.4.1.a
@ -5564,9 +5550,9 @@ groups:
scored: true scored: true
- id: 3.5 - id: 3.5
description: "Firewall Configuration" description: "Firewall Configuration"
- id: 3.5.1 - id: 3.5.1
description: "Configure IPv6 ip6tables" description: "Configure IPv6 ip6tables"
checks: checks:
- id: 3.5.1.1 - id: 3.5.1.1
@ -5595,8 +5581,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes) Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5617,8 +5602,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes) Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5670,7 +5654,7 @@ groups:
scored: true scored: true
- id: 3.5.2 - id: 3.5.2
description: "Configure IPv4 iptables" description: "Configure IPv4 iptables"
checks: checks:
- id: 3.5.2.1 - id: 3.5.2.1
@ -5699,8 +5683,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes) Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5721,8 +5704,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes) Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5756,8 +5738,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Active Internet connections (only servers) Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
@ -5775,8 +5756,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes) Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5855,7 +5835,7 @@ groups:
# zypper install iptables # zypper install iptables
scored: true scored: true
- id: 3.6 - id: 3.6
description: "Ensure wireless interfaces are disabled (Not Scored)" description: "Ensure wireless interfaces are disabled (Not Scored)"
checks: checks:
- id: 3.6.a - id: 3.6.a
@ -5882,7 +5862,7 @@ groups:
Disable any wireless interfaces in your network configuration. Disable any wireless interfaces in your network configuration.
scored: false scored: false
- id: 3.7 - id: 3.7
description: "Ensure wireless interfaces are disabled (Not Scored)" description: "Ensure wireless interfaces are disabled (Not Scored)"
checks: checks:
- id: 3.7 - id: 3.7
@ -5929,13 +5909,12 @@ groups:
# update-grub # update-grub
scored: false scored: false
- id: 4
- id: 4
description: "Logging and Auditing" description: "Logging and Auditing"
- id: 4.1 - id: 4.1
description: "Configure System Accounting (auditd)" description: "Configure System Accounting (auditd)"
checks: checks:
- id: 4.1.1 - id: 4.1.1
description: "Configure Data Retention" description: "Configure Data Retention"
checks: checks:
- id: 4.1.1.1 - id: 4.1.1.1
@ -6446,7 +6425,6 @@ groups:
scored: true scored: true
- id: 4.1.9.b - id: 4.1.9.b
description: "Ensure login and logout events are collected" description: "Ensure login and logout events are collected"
audit: "auditctl -l | grep logins" audit: "auditctl -l | grep logins"
@ -6642,7 +6620,6 @@ groups:
And add all resulting lines to the file. And add all resulting lines to the file.
scored: true scored: true
- id: 4.1.14.a - id: 4.1.14.a
description: "Ensure successful file system mounts are collected" description: "Ensure successful file system mounts are collected"
audit: "grep mounts /etc/audit/rules.d/*.rules" audit: "grep mounts /etc/audit/rules.d/*.rules"
@ -6735,6 +6712,7 @@ groups:
and add the following lines: and add the following lines:
-w /etc/sudoers -p wa -k scope -w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope
scored: true scored: true
- id: 4.1.16.b - id: 4.1.16.b
@ -6753,6 +6731,7 @@ groups:
and add the following lines: and add the following lines:
-w /etc/sudoers -p wa -k scope -w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope
scored: true scored: true
- id: 4.1.17.a - id: 4.1.17.a
@ -6770,6 +6749,7 @@ groups:
Example: vi /etc/audit/rules.d/audit.rules Example: vi /etc/audit/rules.d/audit.rules
and add the following lines: and add the following lines:
-w /var/log/sudo.log -p wa -k actions -w /var/log/sudo.log -p wa -k actions
scored: true scored: true
- id: 4.1.17.b - id: 4.1.17.b
@ -6784,6 +6764,7 @@ groups:
Example: vi /etc/audit/rules.d/audit.rules Example: vi /etc/audit/rules.d/audit.rules
and add the following lines: and add the following lines:
-w /var/log/sudo.log -p wa -k actions -w /var/log/sudo.log -p wa -k actions
scored: true scored: true
- id: 4.1.18.a - id: 4.1.18.a
@ -6808,6 +6789,7 @@ groups:
-w /sbin/rmmod -p x -k modules -w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules -w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
scored: true scored: true
- id: 4.1.18.b - id: 4.1.18.b
@ -6847,9 +6829,9 @@ groups:
at the end of the file at the end of the file
scored: true scored: true
- id: 4.2 - id: 4.2
description: "Configure Logging" description: "Configure Logging"
- id: 4.2.1 - id: 4.2.1
description: "Configure rsyslog" description: "Configure rsyslog"
checks: checks:
- id: 4.2.1.1 - id: 4.2.1.1
@ -7114,7 +7096,7 @@ groups:
# pkill -HUP rsyslogd # pkill -HUP rsyslogd
scored: false scored: false
- id: 4.2.2 - id: 4.2.2
description: "Configure journald" description: "Configure journald"
checks: checks:
- id: 4.2.2.1 - id: 4.2.2.1
@ -7168,9 +7150,9 @@ groups:
remediation: | remediation: |
Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy.
scored: false scored: false
- id: 5 - id: 5
description: "Access, Authentication and Authorization" description: "Access, Authentication and Authorization"
- id: 5.1 - id: 5.1
description: "Configure cron" description: "Configure cron"
checks: checks:
- id: 5.1.1 - id: 5.1.1
@ -7250,7 +7232,6 @@ groups:
scored: true scored: true
- id: 5.1.3 - id: 5.1.3
description: "Ensure permissions on /etc/cron.hourly are configured" description: "Ensure permissions on /etc/cron.hourly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly"
@ -7266,7 +7247,6 @@ groups:
scored: true scored: true
- id: 5.1.4 - id: 5.1.4
description: "Ensure permissions on /etc/cron.daily are configured" description: "Ensure permissions on /etc/cron.daily are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily"
@ -7282,7 +7262,6 @@ groups:
scored: true scored: true
- id: 5.1.5 - id: 5.1.5
description: "Ensure permissions on /etc/cron.weekly are configured" description: "Ensure permissions on /etc/cron.weekly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly"
@ -7298,7 +7277,6 @@ groups:
scored: true scored: true
- id: 5.1.6 - id: 5.1.6
description: "Ensure permissions on /etc/cron.monthly are configured" description: "Ensure permissions on /etc/cron.monthly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly"
@ -7314,7 +7292,6 @@ groups:
scored: true scored: true
- id: 5.1.7 - id: 5.1.7
description: "Ensure permissions on /etc/cron.d are configured" description: "Ensure permissions on /etc/cron.d are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d"
@ -7330,7 +7307,6 @@ groups:
scored: true scored: true
- id: 5.1.8.a - id: 5.1.8.a
description: "Ensure at/cron is restricted to authorized users" description: "Ensure at/cron is restricted to authorized users"
audit: "stat /etc/cron.deny" audit: "stat /etc/cron.deny"
@ -7415,7 +7391,7 @@ groups:
scored: true scored: true
- id: 5.2 - id: 5.2
description: "SSH Server Configuration" description: "SSH Server Configuration"
checks: checks:
- id: 5.2.1 - id: 5.2.1
@ -7433,7 +7409,6 @@ groups:
scored: true scored: true
- id: 5.2.2 - id: 5.2.2
description: "Ensure permissions on SSH private host key files are configured" description: "Ensure permissions on SSH private host key files are configured"
audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;" audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;"
@ -7484,7 +7459,6 @@ groups:
LogLevel INFO LogLevel INFO
scored: true scored: true
- id: 5.2.6 - id: 5.2.6
description: "Ensure SSH X11 forwarding is disabled" description: "Ensure SSH X11 forwarding is disabled"
audit: "grep ^X11Forwarding /etc/ssh/sshd_config" audit: "grep ^X11Forwarding /etc/ssh/sshd_config"
@ -7499,8 +7473,6 @@ groups:
scored: true scored: true
- id: 5.2.7 - id: 5.2.7
description: "Ensure SSH MaxAuthTries is set to 4 or less" description: "Ensure SSH MaxAuthTries is set to 4 or less"
audit: "sshd -T | grep maxauthtries" audit: "sshd -T | grep maxauthtries"
@ -7532,7 +7504,6 @@ groups:
scored: true scored: true
- id: 5.2.9 - id: 5.2.9
description: "Ensure SSH HostbasedAuthentication is disabled" description: "Ensure SSH HostbasedAuthentication is disabled"
audit: "sshd -T | grep hostbasedauthentication" audit: "sshd -T | grep hostbasedauthentication"
@ -7547,7 +7518,6 @@ groups:
scored: true scored: true
- id: 5.2.10 - id: 5.2.10
description: "Ensure SSH root login is disabled" description: "Ensure SSH root login is disabled"
audit: "sshd -T | grep permitrootlogin" audit: "sshd -T | grep permitrootlogin"
@ -7562,8 +7532,6 @@ groups:
scored: true scored: true
- id: 5.2.11 - id: 5.2.11
description: "Ensure SSH PermitEmptyPasswords is disabled" description: "Ensure SSH PermitEmptyPasswords is disabled"
audit: "sshd -T | grep permitemptypasswords" audit: "sshd -T | grep permitemptypasswords"
@ -7592,7 +7560,6 @@ groups:
scored: true scored: true
- id: 5.2.13 - id: 5.2.13
description: "Ensure only approved MAC algorithms are used" description: "Ensure only approved MAC algorithms are used"
audit: "sshd -T | grep ciphers" audit: "sshd -T | grep ciphers"
@ -7626,10 +7593,9 @@ groups:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
scored: true scored: true
- id: 5.2.14 - id: 5.2.14
description: "Ensure only strong MAC algorithms are used" description: "Ensure only strong MAC algorithms are used"
audit: "sshd -T | grep -i \"MACs\"" audit: 'sshd -T | grep -i "MACs"'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -7749,7 +7715,6 @@ groups:
scored: true scored: true
- id: 5.2.18.a - id: 5.2.18.a
description: "Ensure SSH access is limited" description: "Ensure SSH access is limited"
audit: "sshd -T | grep allowusers" audit: "sshd -T | grep allowusers"
@ -7880,8 +7845,7 @@ groups:
MaxSessions 4 MaxSessions 4
scored: true scored: true
- id: 5.3
- id: 5.3
description: "Configure PAM" description: "Configure PAM"
checks: checks:
- id: 5.3.1 - id: 5.3.1
@ -7954,9 +7918,9 @@ groups:
scored: false scored: false
- id: 5.4 - id: 5.4
description: "User Accounts and Environment" description: "User Accounts and Environment"
- id: 5.4.1 - id: 5.4.1
description: "Set Shadow Password Suite Parameters" description: "Set Shadow Password Suite Parameters"
checks: checks:
- id: 5.4.1.1.a - id: 5.4.1.1.a
@ -8199,7 +8163,6 @@ groups:
scored: true scored: true
- id: 5.4.4.a - id: 5.4.4.a
description: "Ensure default user umask is 027 or more restrictive" description: "Ensure default user umask is 027 or more restrictive"
sub_checks: sub_checks:
@ -8299,7 +8262,7 @@ groups:
TMOUT=600 TMOUT=600
scored: true scored: true
- id: 5.5 - id: 5.5
description: "Set Shadow Password Suite Parameters" description: "Set Shadow Password Suite Parameters"
checks: checks:
- id: 5.5 - id: 5.5
@ -8354,9 +8317,9 @@ groups:
scored: true scored: true
- id: 6 - id: 6
description: "System Maintenance" description: "System Maintenance"
- id: 6.1 - id: 6.1
description: "System File Permissions" description: "System File Permissions"
checks: checks:
- id: 6.1.1 - id: 6.1.1
@ -8402,10 +8365,9 @@ groups:
scored: true scored: true
- id: 6.1.3 - id: 6.1.3
description: "Ensure permissions on /etc/shadow are configured" description: "Ensure permissions on /etc/shadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8414,7 +8376,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8430,10 +8392,9 @@ groups:
scored: true scored: true
- id: 6.1.4 - id: 6.1.4
description: "Ensure permissions on /etc/group are configured" description: "Ensure permissions on /etc/group are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group'
tests: tests:
test_items: test_items:
- flag: "Uid:root/0 Gid:root/0 permissions=644" - flag: "Uid:root/0 Gid:root/0 permissions=644"
@ -8446,10 +8407,9 @@ groups:
scored: true scored: true
- id: 6.1.5 - id: 6.1.5
description: "Ensure permissions on /etc/gshadow are configured" description: "Ensure permissions on /etc/gshadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8458,7 +8418,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8476,7 +8436,7 @@ groups:
- id: 6.1.6 - id: 6.1.6
description: "Ensure permissions on /etc/passwd- are configured" description: "Ensure permissions on /etc/passwd- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/passwd-" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/passwd-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8495,10 +8455,9 @@ groups:
scored: true scored: true
- id: 6.1.7 - id: 6.1.7
description: "Ensure permissions on /etc/shadow- are configured" description: "Ensure permissions on /etc/shadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow-" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8507,7 +8466,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8523,10 +8482,9 @@ groups:
scored: true scored: true
- id: 6.1.8 - id: 6.1.8
description: "Ensure permissions on /etc/group- are configured" description: "Ensure permissions on /etc/group- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group-" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8545,10 +8503,9 @@ groups:
scored: true scored: true
- id: 6.1.9 - id: 6.1.9
description: "Ensure permissions on /etc/gshadow- are configured" description: "Ensure permissions on /etc/gshadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow-" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8557,7 +8514,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8573,7 +8530,6 @@ groups:
scored: true scored: true
- id: 6.1.10.a - id: 6.1.10.a
description: "Ensure no world writable files exist" description: "Ensure no world writable files exist"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"
@ -8686,12 +8642,12 @@ groups:
Ensure that no rogue SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries. Ensure that no rogue SGID programs have been introduced into the system. Review the files returned by the action in the Audit section and confirm the integrity of these binaries.
scored: false scored: false
- id: 6.2 - id: 6.2
description: "User and Group Settings" description: "User and Group Settings"
checks: checks:
- id: 6.2.1 - id: 6.2.1
description: "Ensure password fields are not empty" description: "Ensure password fields are not empty"
audit: "awk -F: '($2 == \"\" ) { print $1 \" does not have a password \"}' /etc/shadow" audit: 'awk -F: ''($2 == "" ) { print $1 " does not have a password "}'' /etc/shadow'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -8708,7 +8664,7 @@ groups:
scored: true scored: true
- id: 6.2.2 - id: 6.2.2
description: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: 'Ensure no legacy "+" entries exist in /etc/passwd'
audit: "grep '^\\+:' /etc/passwd" audit: "grep '^\\+:' /etc/passwd"
tests: tests:
test_items: test_items:
@ -8721,9 +8677,8 @@ groups:
Remove any legacy '+' entries from `/etc/passwd` if they exist. Remove any legacy '+' entries from `/etc/passwd` if they exist.
scored: true scored: true
- id: 6.2.3 - id: 6.2.3
description: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: 'Ensure no legacy "+" entries exist in /etc/shadow'
audit: "grep '^\\+:' /etc/shadow" audit: "grep '^\\+:' /etc/shadow"
tests: tests:
test_items: test_items:
@ -8736,9 +8691,8 @@ groups:
Remove any legacy '+' entries from `/etc/shadow` if they exist. Remove any legacy '+' entries from `/etc/shadow` if they exist.
scored: true scored: true
- id: 6.2.4 - id: 6.2.4
description: "Ensure no legacy \"+\" entries exist in /etc/group" description: 'Ensure no legacy "+" entries exist in /etc/group'
audit: "grep '^\\+:' /etc/group" audit: "grep '^\\+:' /etc/group"
tests: tests:
test_items: test_items:
@ -8751,7 +8705,6 @@ groups:
Remove any legacy '+' entries from `/etc/group` if they exist. Remove any legacy '+' entries from `/etc/group` if they exist.
scored: true scored: true
- id: 6.2.5 - id: 6.2.5
description: "Ensure root is the only UID 0 account" description: "Ensure root is the only UID 0 account"
audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd"
@ -8810,7 +8763,6 @@ groups:
Correct or justify any items discovered in the Audit step. Correct or justify any items discovered in the Audit step.
scored: true scored: true
- id: 6.2.7 - id: 6.2.7
description: "Ensure all users' home directories exist" description: "Ensure all users' home directories exist"
audit: | audit: |
@ -8892,7 +8844,6 @@ groups:
Change the ownership of any home directories that are not owned by the defined user to the correct user. Change the ownership of any home directories that are not owned by the defined user to the correct user.
scored: true scored: true
- id: 6.2.10 - id: 6.2.10
description: "Ensure users' dot files are not group or world writable" description: "Ensure users' dot files are not group or world writable"
audit: | audit: |
@ -8949,7 +8900,6 @@ groups:
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy. Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy.
scored: true scored: true
- id: 6.2.12 - id: 6.2.12
description: "Ensure no users have .netrc files" description: "Ensure no users have .netrc files"
audit: | audit: |
@ -9137,7 +9087,6 @@ groups:
Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs. Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.
scored: true scored: true
- id: 6.2.19 - id: 6.2.19
description: "Ensure no duplicate group names exist" description: "Ensure no duplicate group names exist"
audit: | audit: |
@ -9177,7 +9126,7 @@ groups:
- id: 6.2.20.b - id: 6.2.20.b
description: "Ensure shadow group is empty" description: "Ensure shadow group is empty"
audit: "awk -F: '($4 == \"\") { print }' /etc/passwd" audit: 'awk -F: ''($4 == "") { print }'' /etc/passwd'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -9188,4 +9137,3 @@ groups:
remediation: | remediation: |
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
scored: true scored: true