<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta charset="utf-8"></meta><meta http-equiv="X-UA-Compatible" content="IE=edge"></meta><meta name="viewport" content="width=device-width, initial-scale=1"></meta><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream | OpenSCAP Evaluation Report</title><style>
/*!
 * Bootstrap v3.2.0 (http://getbootstrap.com)
 * Copyright 2011-2014 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 */
/*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}@media print{*{text-shadow:none !important;color:#000 !important;background:transparent !important;box-shadow:none !important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff !important}.navbar{display:none}.table td,.table th{background-color:#fff !important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;width:100% \9;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;overflow-x:auto;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd;-webkit-overflow-scrolling:touch}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}input[type="date"],input[type="time"],input[type="datetime-local"],input[type="month"]{line-height:34px;line-height:1.42857143 \0}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;pointer-events:none;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-bottom-left-radius:4px;border-top-right-radius:0;border-top-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn>input[type="radio"],[data-toggle="buttons"]>.btn>input[type="checkbox"]{position:absolute;z-index:-1;opacity:0;filter:alpha(opacity=0)}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:baseline;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{color:#777;min-width:30px;background-color:transparent;background-image:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate3d(0, -25%, 0);transform:translate3d(0, -25%, 0);-webkit-transition:-webkit-transform 0.3s ease-out;-moz-transition:-moz-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5;min-height:16.42857143px}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important;visibility:hidden !important}.affix{position:fixed;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}
table.treetable span.indenter{display:inline-block;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px;margin:0;padding:0;}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px;}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=);}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC);}table.treetable tr.branch{background-color:#f9f9f9;}table.treetable tr.selected{background-color:#3875d7;color:#fff;}table.treetable tr span.indenter a{outline:none;}tr.rule-overview-needs-attention td a{color:#d9534f;}td.rule-result div,span.rule-result{text-align:center;font-weight:700;color:#fff;background:gray;}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e;}.js-only{display:none;}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f;}#footer{text-align:center;margin-top:50px;}pre{overflow:auto!important;word-wrap:normal!important;white-space:pre;}div.check-system-details,div.remediation,div.description{display:inline-block;width:0;min-width:100%;overflow-x:auto;}div.modal-body{margin:50px;padding:0;}div.horizontal-scroll{overflow-x:auto;}div.top-spacer-10{margin-top:10px;}td.rule-result-fail div,span.rule-result-fail,td.rule-result-error div,span.rule-result-error{background:#d9534f;}td.rule-result-pass div,span.rule-result-pass,td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c;}.rule-result-filtered,.rule-result-filtered > *,.search-no-match,.search-no-match > *{display:none!important;}@media print{.container{width:100%;}.rule-result abbr[title]:after,.identifiers abbr[title]:after,.identifiers a[href]:after{content:"";}}</style><script>
/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.call(arguments,2),e=function(){return a.apply(b||this,c.concat(d.call(arguments)))},e.guid=a.guid=a.guid||m.guid++,e):void 0},now:function(){return+new Date},support:k}),m.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),function(a,b){h["[object "+b+"]"]=b.toLowerCase()});function r(a){var b=a.length,c=m.type(a);return"function"===c||m.isWindow(a)?!1:1===a.nodeType&&b?!0:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var s=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+-new Date,v=a.document,w=0,x=0,y=gb(),z=gb(),A=gb(),B=function(a,b){return a===b&&(l=!0),0},C="undefined",D=1<<31,E={}.hasOwnProperty,F=[],G=F.pop,H=F.push,I=F.push,J=F.slice,K=F.indexOf||function(a){for(var b=0,c=this.length;c>b;b++)if(this[b]===a)return b;return-1},L="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",M="[\\x20\\t\\r\\n\\f]",N="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",O=N.replace("w","w#"),P="\\["+M+"*("+N+")(?:"+M+"*([*^$|!~]?=)"+M+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+O+"))|)"+M+"*\\]",Q=":("+N+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+P+")*)|.*)\\)|)",R=new RegExp("^"+M+"+|((?:^|[^\\\\])(?:\\\\.)*)"+M+"+$","g"),S=new RegExp("^"+M+"*,"+M+"*"),T=new RegExp("^"+M+"*([>+~]|"+M+")"+M+"*"),U=new RegExp("="+M+"*([^\\]'\"]*?)"+M+"*\\]","g"),V=new RegExp(Q),W=new RegExp("^"+O+"$"),X={ID:new RegExp("^#("+N+")"),CLASS:new RegExp("^\\.("+N+")"),TAG:new RegExp("^("+N.replace("w","w*")+")"),ATTR:new RegExp("^"+P),PSEUDO:new RegExp("^"+Q),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+L+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/^(?:input|select|textarea|button)$/i,Z=/^h\d$/i,$=/^[^{]+\{\s*\[native \w/,_=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ab=/[+~]/,bb=/'|\\/g,cb=new RegExp("\\\\([\\da-f]{1,6}"+M+"?|("+M+")|.)","ig"),db=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)};try{I.apply(F=J.call(v.childNodes),v.childNodes),F[v.childNodes.length].nodeType}catch(eb){I={apply:F.length?function(a,b){H.apply(a,J.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fb(a,b,d,e){var f,h,j,k,l,o,r,s,w,x;if((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,d=d||[],!a||"string"!=typeof a)return d;if(1!==(k=b.nodeType)&&9!==k)return[];if(p&&!e){if(f=_.exec(a))if(j=f[1]){if(9===k){if(h=b.getElementById(j),!h||!h.parentNode)return d;if(h.id===j)return d.push(h),d}else if(b.ownerDocument&&(h=b.ownerDocument.getElementById(j))&&t(b,h)&&h.id===j)return d.push(h),d}else{if(f[2])return I.apply(d,b.getElementsByTagName(a)),d;if((j=f[3])&&c.getElementsByClassName&&b.getElementsByClassName)return I.apply(d,b.getElementsByClassName(j)),d}if(c.qsa&&(!q||!q.test(a))){if(s=r=u,w=b,x=9===k&&a,1===k&&"object"!==b.nodeName.toLowerCase()){o=g(a),(r=b.getAttribute("id"))?s=r.replace(bb,"\\$&"):b.setAttribute("id",s),s="[id='"+s+"'] ",l=o.length;while(l--)o[l]=s+qb(o[l]);w=ab.test(a)&&ob(b.parentNode)||b,x=o.join(",")}if(x)try{return I.apply(d,w.querySelectorAll(x)),d}catch(y){}finally{r||b.removeAttribute("id")}}}return i(a.replace(R,"$1"),b,d,e)}function gb(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function hb(a){return a[u]=!0,a}function ib(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function jb(a,b){var c=a.split("|"),e=a.length;while(e--)d.attrHandle[c[e]]=b}function kb(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||D)-(~a.sourceIndex||D);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function lb(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function mb(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function nb(a){return hb(function(b){return b=+b,hb(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function ob(a){return a&&typeof a.getElementsByTagName!==C&&a}c=fb.support={},f=fb.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fb.setDocument=function(a){var b,e=a?a.ownerDocument||a:v,g=e.defaultView;return e!==n&&9===e.nodeType&&e.documentElement?(n=e,o=e.documentElement,p=!f(e),g&&g!==g.top&&(g.addEventListener?g.addEventListener("unload",function(){m()},!1):g.attachEvent&&g.attachEvent("onunload",function(){m()})),c.attributes=ib(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ib(function(a){return a.appendChild(e.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=$.test(e.getElementsByClassName)&&ib(function(a){return a.innerHTML="<div class='a'></div><div class='a i'></div>",a.firstChild.className="i",2===a.getElementsByClassName("i").length}),c.getById=ib(function(a){return o.appendChild(a).id=u,!e.getElementsByName||!e.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if(typeof b.getElementById!==C&&p){var c=b.getElementById(a);return c&&c.parentNode?[c]:[]}},d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){var c=typeof a.getAttributeNode!==C&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return typeof b.getElementsByTagName!==C?b.getElementsByTagName(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return typeof b.getElementsByClassName!==C&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=$.test(e.querySelectorAll))&&(ib(function(a){a.innerHTML="<select msallowclip=''><option selected=''></option></select>",a.querySelectorAll("[msallowclip^='']").length&&q.push("[*^$]="+M+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+M+"*(?:value|"+L+")"),a.querySelectorAll(":checked").length||q.push(":checked")}),ib(function(a){var b=e.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+M+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=$.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ib(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",Q)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=$.test(o.compareDocumentPosition),t=b||$.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===e||a.ownerDocument===v&&t(v,a)?-1:b===e||b.ownerDocument===v&&t(v,b)?1:k?K.call(k,a)-K.call(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,f=a.parentNode,g=b.parentNode,h=[a],i=[b];if(!f||!g)return a===e?-1:b===e?1:f?-1:g?1:k?K.call(k,a)-K.call(k,b):0;if(f===g)return kb(a,b);c=a;while(c=c.parentNode)h.unshift(c);c=b;while(c=c.parentNode)i.unshift(c);while(h[d]===i[d])d++;return d?kb(h[d],i[d]):h[d]===v?-1:i[d]===v?1:0},e):n},fb.matches=function(a,b){return fb(a,null,null,b)},fb.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(U,"='$1']"),!(!c.matchesSelector||!p||r&&r.test(b)||q&&q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fb(b,n,null,[a]).length>0},fb.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fb.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&E.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fb.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fb.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fb.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fb.selectors={cacheLength:50,createPseudo:hb,match:X,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(cb,db),a[3]=(a[3]||a[4]||a[5]||"").replace(cb,db),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fb.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fb.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return X.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&V.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(cb,db).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+M+")"+a+"("+M+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||typeof a.getAttribute!==C&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fb.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h;if(q){if(f){while(p){l=b;while(l=l[p])if(h?l.nodeName.toLowerCase()===r:1===l.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){k=q[u]||(q[u]={}),j=k[a]||[],n=j[0]===w&&j[1],m=j[0]===w&&j[2],l=n&&q.childNodes[n];while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if(1===l.nodeType&&++m&&l===b){k[a]=[w,n,m];break}}else if(s&&(j=(b[u]||(b[u]={}))[a])&&j[0]===w)m=j[1];else while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if((h?l.nodeName.toLowerCase()===r:1===l.nodeType)&&++m&&(s&&((l[u]||(l[u]={}))[a]=[w,m]),l===b))break;return m-=e,m===d||m%d===0&&m/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fb.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?hb(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=K.call(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:hb(function(a){var b=[],c=[],d=h(a.replace(R,"$1"));return d[u]?hb(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),!c.pop()}}),has:hb(function(a){return function(b){return fb(a,b).length>0}}),contains:hb(function(a){return function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:hb(function(a){return W.test(a||"")||fb.error("unsupported lang: "+a),a=a.replace(cb,db).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Z.test(a.nodeName)},input:function(a){return Y.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:nb(function(){return[0]}),last:nb(function(a,b){return[b-1]}),eq:nb(function(a,b,c){return[0>c?c+b:c]}),even:nb(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:nb(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:nb(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:nb(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=lb(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=mb(b);function pb(){}pb.prototype=d.filters=d.pseudos,d.setFilters=new pb,g=fb.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){(!c||(e=S.exec(h)))&&(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=T.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(R," ")}),h=h.slice(c.length));for(g in d.filter)!(e=X[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fb.error(a):z(a,i).slice(0)};function qb(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function rb(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(i=b[u]||(b[u]={}),(h=i[d])&&h[0]===w&&h[1]===f)return j[2]=h[2];if(i[d]=j,j[2]=a(b,c,g))return!0}}}function sb(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function tb(a,b,c){for(var d=0,e=b.length;e>d;d++)fb(a,b[d],c);return c}function ub(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(!c||c(f,d,e))&&(g.push(f),j&&b.push(h));return g}function vb(a,b,c,d,e,f){return d&&!d[u]&&(d=vb(d)),e&&!e[u]&&(e=vb(e,f)),hb(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||tb(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ub(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ub(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?K.call(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ub(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):I.apply(g,r)})}function wb(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=rb(function(a){return a===b},h,!0),l=rb(function(a){return K.call(b,a)>-1},h,!0),m=[function(a,c,d){return!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d))}];f>i;i++)if(c=d.relative[a[i].type])m=[rb(sb(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return vb(i>1&&sb(m),i>1&&qb(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(R,"$1"),c,e>i&&wb(a.slice(i,e)),f>e&&wb(a=a.slice(e)),f>e&&qb(a))}m.push(c)}return sb(m)}function xb(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,m,o,p=0,q="0",r=f&&[],s=[],t=j,u=f||e&&d.find.TAG("*",k),v=w+=null==t?1:Math.random()||.1,x=u.length;for(k&&(j=g!==n&&g);q!==x&&null!=(l=u[q]);q++){if(e&&l){m=0;while(o=a[m++])if(o(l,g,h)){i.push(l);break}k&&(w=v)}c&&((l=!o&&l)&&p--,f&&r.push(l))}if(p+=q,c&&q!==p){m=0;while(o=b[m++])o(r,s,g,h);if(f){if(p>0)while(q--)r[q]||s[q]||(s[q]=G.call(i));s=ub(s)}I.apply(i,s),k&&!f&&s.length>0&&p+b.length>1&&fb.uniqueSort(i)}return k&&(w=v,j=t),r};return c?hb(f):f}return h=fb.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wb(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xb(e,d)),f.selector=a}return f},i=fb.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(cb,db),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=X.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(cb,db),ab.test(j[0].type)&&ob(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qb(j),!a)return I.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,ab.test(a)&&ob(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ib(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ib(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||jb("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ib(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||jb("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ib(function(a){return null==a.getAttribute("disabled")})||jb(L,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fb}(a);m.find=s,m.expr=s.selectors,m.expr[":"]=m.expr.pseudos,m.unique=s.uniqueSort,m.text=s.getText,m.isXMLDoc=s.isXML,m.contains=s.contains;var t=m.expr.match.needsContext,u=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/^.[^:#\[\.,]*$/;function w(a,b,c){if(m.isFunction(b))return m.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return m.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(v.test(b))return m.filter(b,a,c);b=m.filter(b,a)}return m.grep(a,function(a){return m.inArray(a,b)>=0!==c})}m.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?m.find.matchesSelector(d,a)?[d]:[]:m.find.matches(a,m.grep(b,function(a){return 1===a.nodeType}))},m.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(m(a).filter(function(){for(b=0;e>b;b++)if(m.contains(d[b],this))return!0}));for(b=0;e>b;b++)m.find(a,d[b],c);return c=this.pushStack(e>1?m.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(w(this,a||[],!1))},not:function(a){return this.pushStack(w(this,a||[],!0))},is:function(a){return!!w(this,"string"==typeof a&&t.test(a)?m(a):a||[],!1).length}});var x,y=a.document,z=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,A=m.fn.init=function(a,b){var c,d;if(!a)return this;if("string"==typeof a){if(c="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:z.exec(a),!c||!c[1]&&b)return!b||b.jquery?(b||x).find(a):this.constructor(b).find(a);if(c[1]){if(b=b instanceof m?b[0]:b,m.merge(this,m.parseHTML(c[1],b&&b.nodeType?b.ownerDocument||b:y,!0)),u.test(c[1])&&m.isPlainObject(b))for(c in b)m.isFunction(this[c])?this[c](b[c]):this.attr(c,b[c]);return this}if(d=y.getElementById(c[2]),d&&d.parentNode){if(d.id!==c[2])return x.find(a);this.length=1,this[0]=d}return this.context=y,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):m.isFunction(a)?"undefined"!=typeof x.ready?x.ready(a):a(m):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),m.makeArray(a,this))};A.prototype=m.fn,x=m(y);var B=/^(?:parents|prev(?:Until|All))/,C={children:!0,contents:!0,next:!0,prev:!0};m.extend({dir:function(a,b,c){var d=[],e=a[b];while(e&&9!==e.nodeType&&(void 0===c||1!==e.nodeType||!m(e).is(c)))1===e.nodeType&&d.push(e),e=e[b];return d},sibling:function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c}}),m.fn.extend({has:function(a){var b,c=m(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(m.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=t.test(a)||"string"!=typeof a?m(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&m.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?m.unique(f):f)},index:function(a){return a?"string"==typeof a?m.inArray(this[0],m(a)):m.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(m.unique(m.merge(this.get(),m(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function D(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}m.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return m.dir(a,"parentNode")},parentsUntil:function(a,b,c){return m.dir(a,"parentNode",c)},next:function(a){return D(a,"nextSibling")},prev:function(a){return D(a,"previousSibling")},nextAll:function(a){return m.dir(a,"nextSibling")},prevAll:function(a){return m.dir(a,"previousSibling")},nextUntil:function(a,b,c){return m.dir(a,"nextSibling",c)},prevUntil:function(a,b,c){return m.dir(a,"previousSibling",c)},siblings:function(a){return m.sibling((a.parentNode||{}).firstChild,a)},children:function(a){return m.sibling(a.firstChild)},contents:function(a){return m.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:m.merge([],a.childNodes)}},function(a,b){m.fn[a]=function(c,d){var e=m.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=m.filter(d,e)),this.length>1&&(C[a]||(e=m.unique(e)),B.test(a)&&(e=e.reverse())),this.pushStack(e)}});var E=/\S+/g,F={};function G(a){var b=F[a]={};return m.each(a.match(E)||[],function(a,c){b[c]=!0}),b}m.Callbacks=function(a){a="string"==typeof a?F[a]||G(a):m.extend({},a);var b,c,d,e,f,g,h=[],i=!a.once&&[],j=function(l){for(c=a.memory&&l,d=!0,f=g||0,g=0,e=h.length,b=!0;h&&e>f;f++)if(h[f].apply(l[0],l[1])===!1&&a.stopOnFalse){c=!1;break}b=!1,h&&(i?i.length&&j(i.shift()):c?h=[]:k.disable())},k={add:function(){if(h){var d=h.length;!function f(b){m.each(b,function(b,c){var d=m.type(c);"function"===d?a.unique&&k.has(c)||h.push(c):c&&c.length&&"string"!==d&&f(c)})}(arguments),b?e=h.length:c&&(g=d,j(c))}return this},remove:function(){return h&&m.each(arguments,function(a,c){var d;while((d=m.inArray(c,h,d))>-1)h.splice(d,1),b&&(e>=d&&e--,f>=d&&f--)}),this},has:function(a){return a?m.inArray(a,h)>-1:!(!h||!h.length)},empty:function(){return h=[],e=0,this},disable:function(){return h=i=c=void 0,this},disabled:function(){return!h},lock:function(){return i=void 0,c||k.disable(),this},locked:function(){return!i},fireWith:function(a,c){return!h||d&&!i||(c=c||[],c=[a,c.slice?c.slice():c],b?i.push(c):j(c)),this},fire:function(){return k.fireWith(this,arguments),this},fired:function(){return!!d}};return k},m.extend({Deferred:function(a){var b=[["resolve","done",m.Callbacks("once memory"),"resolved"],["reject","fail",m.Callbacks("once memory"),"rejected"],["notify","progress",m.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return m.Deferred(function(c){m.each(b,function(b,f){var g=m.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&m.isFunction(a.promise)?a.promise().done(c.resolve).fail(c.reject).progress(c.notify):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?m.extend(a,d):d}},e={};return d.pipe=d.then,m.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=d.call(arguments),e=c.length,f=1!==e||a&&m.isFunction(a.promise)?e:0,g=1===f?a:m.Deferred(),h=function(a,b,c){return function(e){b[a]=this,c[a]=arguments.length>1?d.call(arguments):e,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(e>1)for(i=new Array(e),j=new Array(e),k=new Array(e);e>b;b++)c[b]&&m.isFunction(c[b].promise)?c[b].promise().done(h(b,k,c)).fail(g.reject).progress(h(b,j,i)):--f;return f||g.resolveWith(k,c),g.promise()}});var H;m.fn.ready=function(a){return m.ready.promise().done(a),this},m.extend({isReady:!1,readyWait:1,holdReady:function(a){a?m.readyWait++:m.ready(!0)},ready:function(a){if(a===!0?!--m.readyWait:!m.isReady){if(!y.body)return setTimeout(m.ready);m.isReady=!0,a!==!0&&--m.readyWait>0||(H.resolveWith(y,[m]),m.fn.triggerHandler&&(m(y).triggerHandler("ready"),m(y).off("ready")))}}});function I(){y.addEventListener?(y.removeEventListener("DOMContentLoaded",J,!1),a.removeEventListener("load",J,!1)):(y.detachEvent("onreadystatechange",J),a.detachEvent("onload",J))}function J(){(y.addEventListener||"load"===event.type||"complete"===y.readyState)&&(I(),m.ready())}m.ready.promise=function(b){if(!H)if(H=m.Deferred(),"complete"===y.readyState)setTimeout(m.ready);else if(y.addEventListener)y.addEventListener("DOMContentLoaded",J,!1),a.addEventListener("load",J,!1);else{y.attachEvent("onreadystatechange",J),a.attachEvent("onload",J);var c=!1;try{c=null==a.frameElement&&y.documentElement}catch(d){}c&&c.doScroll&&!function e(){if(!m.isReady){try{c.doScroll("left")}catch(a){return setTimeout(e,50)}I(),m.ready()}}()}return H.promise(b)};var K="undefined",L;for(L in m(k))break;k.ownLast="0"!==L,k.inlineBlockNeedsLayout=!1,m(function(){var a,b,c,d;c=y.getElementsByTagName("body")[0],c&&c.style&&(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),typeof b.style.zoom!==K&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",k.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(d))}),function(){var a=y.createElement("div");if(null==k.deleteExpando){k.deleteExpando=!0;try{delete a.test}catch(b){k.deleteExpando=!1}}a=null}(),m.acceptData=function(a){var b=m.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b};var M=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,N=/([A-Z])/g;function O(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(N,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:M.test(c)?m.parseJSON(c):c}catch(e){}m.data(a,b,c)}else c=void 0}return c}function P(a){var b;for(b in a)if(("data"!==b||!m.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function Q(a,b,d,e){if(m.acceptData(a)){var f,g,h=m.expando,i=a.nodeType,j=i?m.cache:a,k=i?a[h]:a[h]&&h;
if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||m.guid++:h),j[k]||(j[k]=i?{}:{toJSON:m.noop}),("object"==typeof b||"function"==typeof b)&&(e?j[k]=m.extend(j[k],b):j[k].data=m.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[m.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[m.camelCase(b)])):f=g,f}}function R(a,b,c){if(m.acceptData(a)){var d,e,f=a.nodeType,g=f?m.cache:a,h=f?a[m.expando]:m.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){m.isArray(b)?b=b.concat(m.map(b,m.camelCase)):b in d?b=[b]:(b=m.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!P(d):!m.isEmptyObject(d))return}(c||(delete g[h].data,P(g[h])))&&(f?m.cleanData([a],!0):k.deleteExpando||g!=g.window?delete g[h]:g[h]=null)}}}m.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?m.cache[a[m.expando]]:a[m.expando],!!a&&!P(a)},data:function(a,b,c){return Q(a,b,c)},removeData:function(a,b){return R(a,b)},_data:function(a,b,c){return Q(a,b,c,!0)},_removeData:function(a,b){return R(a,b,!0)}}),m.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=m.data(f),1===f.nodeType&&!m._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=m.camelCase(d.slice(5)),O(f,d,e[d])));m._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){m.data(this,a)}):arguments.length>1?this.each(function(){m.data(this,a,b)}):f?O(f,a,m.data(f,a)):void 0},removeData:function(a){return this.each(function(){m.removeData(this,a)})}}),m.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=m._data(a,b),c&&(!d||m.isArray(c)?d=m._data(a,b,m.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=m.queue(a,b),d=c.length,e=c.shift(),f=m._queueHooks(a,b),g=function(){m.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return m._data(a,c)||m._data(a,c,{empty:m.Callbacks("once memory").add(function(){m._removeData(a,b+"queue"),m._removeData(a,c)})})}}),m.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?m.queue(this[0],a):void 0===b?this:this.each(function(){var c=m.queue(this,a,b);m._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&m.dequeue(this,a)})},dequeue:function(a){return this.each(function(){m.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=m.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=m._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}});var S=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,T=["Top","Right","Bottom","Left"],U=function(a,b){return a=b||a,"none"===m.css(a,"display")||!m.contains(a.ownerDocument,a)},V=m.access=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===m.type(c)){e=!0;for(h in c)m.access(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,m.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(m(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},W=/^(?:checkbox|radio)$/i;!function(){var a=y.createElement("input"),b=y.createElement("div"),c=y.createDocumentFragment();if(b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",k.leadingWhitespace=3===b.firstChild.nodeType,k.tbody=!b.getElementsByTagName("tbody").length,k.htmlSerialize=!!b.getElementsByTagName("link").length,k.html5Clone="<:nav></:nav>"!==y.createElement("nav").cloneNode(!0).outerHTML,a.type="checkbox",a.checked=!0,c.appendChild(a),k.appendChecked=a.checked,b.innerHTML="<textarea>x</textarea>",k.noCloneChecked=!!b.cloneNode(!0).lastChild.defaultValue,c.appendChild(b),b.innerHTML="<input type='radio' checked='checked' name='t'/>",k.checkClone=b.cloneNode(!0).cloneNode(!0).lastChild.checked,k.noCloneEvent=!0,b.attachEvent&&(b.attachEvent("onclick",function(){k.noCloneEvent=!1}),b.cloneNode(!0).click()),null==k.deleteExpando){k.deleteExpando=!0;try{delete b.test}catch(d){k.deleteExpando=!1}}}(),function(){var b,c,d=y.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(k[b+"Bubbles"]=c in a)||(d.setAttribute(c,"t"),k[b+"Bubbles"]=d.attributes[c].expando===!1);d=null}();var X=/^(?:input|select|textarea)$/i,Y=/^key/,Z=/^(?:mouse|pointer|contextmenu)|click/,$=/^(?:focusinfocus|focusoutblur)$/,_=/^([^.]*)(?:\.(.+)|)$/;function ab(){return!0}function bb(){return!1}function cb(){try{return y.activeElement}catch(a){}}m.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=m.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return typeof m===K||a&&m.event.triggered===a.type?void 0:m.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(E)||[""],h=b.length;while(h--)f=_.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=m.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=m.event.special[o]||{},l=m.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&m.expr.match.needsContext.test(e),namespace:p.join(".")},i),(n=g[o])||(n=g[o]=[],n.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?n.splice(n.delegateCount++,0,l):n.push(l),m.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m.hasData(a)&&m._data(a);if(r&&(k=r.events)){b=(b||"").match(E)||[""],j=b.length;while(j--)if(h=_.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=m.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,n=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=n.length;while(f--)g=n[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(n.splice(f,1),g.selector&&n.delegateCount--,l.remove&&l.remove.call(a,g));i&&!n.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||m.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)m.event.remove(a,o+b[j],c,d,!0);m.isEmptyObject(k)&&(delete r.handle,m._removeData(a,"events"))}},trigger:function(b,c,d,e){var f,g,h,i,k,l,n,o=[d||y],p=j.call(b,"type")?b.type:b,q=j.call(b,"namespace")?b.namespace.split("."):[];if(h=l=d=d||y,3!==d.nodeType&&8!==d.nodeType&&!$.test(p+m.event.triggered)&&(p.indexOf(".")>=0&&(q=p.split("."),p=q.shift(),q.sort()),g=p.indexOf(":")<0&&"on"+p,b=b[m.expando]?b:new m.Event(p,"object"==typeof b&&b),b.isTrigger=e?2:3,b.namespace=q.join("."),b.namespace_re=b.namespace?new RegExp("(^|\\.)"+q.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=d),c=null==c?[b]:m.makeArray(c,[b]),k=m.event.special[p]||{},e||!k.trigger||k.trigger.apply(d,c)!==!1)){if(!e&&!k.noBubble&&!m.isWindow(d)){for(i=k.delegateType||p,$.test(i+p)||(h=h.parentNode);h;h=h.parentNode)o.push(h),l=h;l===(d.ownerDocument||y)&&o.push(l.defaultView||l.parentWindow||a)}n=0;while((h=o[n++])&&!b.isPropagationStopped())b.type=n>1?i:k.bindType||p,f=(m._data(h,"events")||{})[b.type]&&m._data(h,"handle"),f&&f.apply(h,c),f=g&&h[g],f&&f.apply&&m.acceptData(h)&&(b.result=f.apply(h,c),b.result===!1&&b.preventDefault());if(b.type=p,!e&&!b.isDefaultPrevented()&&(!k._default||k._default.apply(o.pop(),c)===!1)&&m.acceptData(d)&&g&&d[p]&&!m.isWindow(d)){l=d[g],l&&(d[g]=null),m.event.triggered=p;try{d[p]()}catch(r){}m.event.triggered=void 0,l&&(d[g]=l)}return b.result}},dispatch:function(a){a=m.event.fix(a);var b,c,e,f,g,h=[],i=d.call(arguments),j=(m._data(this,"events")||{})[a.type]||[],k=m.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=m.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,g=0;while((e=f.handlers[g++])&&!a.isImmediatePropagationStopped())(!a.namespace_re||a.namespace_re.test(e.namespace))&&(a.handleObj=e,a.data=e.data,c=((m.event.special[e.origType]||{}).handle||e.handler).apply(f.elem,i),void 0!==c&&(a.result=c)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&(!a.button||"click"!==a.type))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(e=[],f=0;h>f;f++)d=b[f],c=d.selector+" ",void 0===e[c]&&(e[c]=d.needsContext?m(c,this).index(i)>=0:m.find(c,this,null,[i]).length),e[c]&&e.push(d);e.length&&g.push({elem:i,handlers:e})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[m.expando])return a;var b,c,d,e=a.type,f=a,g=this.fixHooks[e];g||(this.fixHooks[e]=g=Z.test(e)?this.mouseHooks:Y.test(e)?this.keyHooks:{}),d=g.props?this.props.concat(g.props):this.props,a=new m.Event(f),b=d.length;while(b--)c=d[b],a[c]=f[c];return a.target||(a.target=f.srcElement||y),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,g.filter?g.filter(a,f):a},props:"altKey bubbles cancelable ctrlKey currentTarget eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,d,e,f=b.button,g=b.fromElement;return null==a.pageX&&null!=b.clientX&&(d=a.target.ownerDocument||y,e=d.documentElement,c=d.body,a.pageX=b.clientX+(e&&e.scrollLeft||c&&c.scrollLeft||0)-(e&&e.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(e&&e.scrollTop||c&&c.scrollTop||0)-(e&&e.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&g&&(a.relatedTarget=g===a.target?b.toElement:g),a.which||void 0===f||(a.which=1&f?1:2&f?3:4&f?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==cb()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===cb()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return m.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return m.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c,d){var e=m.extend(new m.Event,c,{type:a,isSimulated:!0,originalEvent:{}});d?m.event.trigger(e,null,b):m.event.dispatch.call(b,e),e.isDefaultPrevented()&&c.preventDefault()}},m.removeEvent=y.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c,!1)}:function(a,b,c){var d="on"+b;a.detachEvent&&(typeof a[d]===K&&(a[d]=null),a.detachEvent(d,c))},m.Event=function(a,b){return this instanceof m.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?ab:bb):this.type=a,b&&m.extend(this,b),this.timeStamp=a&&a.timeStamp||m.now(),void(this[m.expando]=!0)):new m.Event(a,b)},m.Event.prototype={isDefaultPrevented:bb,isPropagationStopped:bb,isImmediatePropagationStopped:bb,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=ab,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=ab,a&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=ab,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},m.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){m.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return(!e||e!==d&&!m.contains(d,e))&&(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),k.submitBubbles||(m.event.special.submit={setup:function(){return m.nodeName(this,"form")?!1:void m.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=m.nodeName(b,"input")||m.nodeName(b,"button")?b.form:void 0;c&&!m._data(c,"submitBubbles")&&(m.event.add(c,"submit._submit",function(a){a._submit_bubble=!0}),m._data(c,"submitBubbles",!0))})},postDispatch:function(a){a._submit_bubble&&(delete a._submit_bubble,this.parentNode&&!a.isTrigger&&m.event.simulate("submit",this.parentNode,a,!0))},teardown:function(){return m.nodeName(this,"form")?!1:void m.event.remove(this,"._submit")}}),k.changeBubbles||(m.event.special.change={setup:function(){return X.test(this.nodeName)?(("checkbox"===this.type||"radio"===this.type)&&(m.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._just_changed=!0)}),m.event.add(this,"click._change",function(a){this._just_changed&&!a.isTrigger&&(this._just_changed=!1),m.event.simulate("change",this,a,!0)})),!1):void m.event.add(this,"beforeactivate._change",function(a){var b=a.target;X.test(b.nodeName)&&!m._data(b,"changeBubbles")&&(m.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||m.event.simulate("change",this.parentNode,a,!0)}),m._data(b,"changeBubbles",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return m.event.remove(this,"._change"),!X.test(this.nodeName)}}),k.focusinBubbles||m.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){m.event.simulate(b,a.target,m.event.fix(a),!0)};m.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=m._data(d,b);e||d.addEventListener(a,c,!0),m._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=m._data(d,b)-1;e?m._data(d,b,e):(d.removeEventListener(a,c,!0),m._removeData(d,b))}}}),m.fn.extend({on:function(a,b,c,d,e){var f,g;if("object"==typeof a){"string"!=typeof b&&(c=c||b,b=void 0);for(f in a)this.on(f,b,c,a[f],e);return this}if(null==c&&null==d?(d=b,c=b=void 0):null==d&&("string"==typeof b?(d=c,c=void 0):(d=c,c=b,b=void 0)),d===!1)d=bb;else if(!d)return this;return 1===e&&(g=d,d=function(a){return m().off(a),g.apply(this,arguments)},d.guid=g.guid||(g.guid=m.guid++)),this.each(function(){m.event.add(this,a,d,c,b)})},one:function(a,b,c,d){return this.on(a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,m(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return(b===!1||"function"==typeof b)&&(c=b,b=void 0),c===!1&&(c=bb),this.each(function(){m.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){m.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?m.event.trigger(a,b,c,!0):void 0}});function db(a){var b=eb.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}var eb="abbr|article|aside|audio|bdi|canvas|data|datalist|details|figcaption|figure|footer|header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",fb=/ jQuery\d+="(?:null|\d+)"/g,gb=new RegExp("<(?:"+eb+")[\\s/>]","i"),hb=/^\s+/,ib=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,jb=/<([\w:]+)/,kb=/<tbody/i,lb=/<|&#?\w+;/,mb=/<(?:script|style|link)/i,nb=/checked\s*(?:[^=]|=\s*.checked.)/i,ob=/^$|\/(?:java|ecma)script/i,pb=/^true\/(.*)/,qb=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,rb={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:k.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]},sb=db(y),tb=sb.appendChild(y.createElement("div"));rb.optgroup=rb.option,rb.tbody=rb.tfoot=rb.colgroup=rb.caption=rb.thead,rb.th=rb.td;function ub(a,b){var c,d,e=0,f=typeof a.getElementsByTagName!==K?a.getElementsByTagName(b||"*"):typeof a.querySelectorAll!==K?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||m.nodeName(d,b)?f.push(d):m.merge(f,ub(d,b));return void 0===b||b&&m.nodeName(a,b)?m.merge([a],f):f}function vb(a){W.test(a.type)&&(a.defaultChecked=a.checked)}function wb(a,b){return m.nodeName(a,"table")&&m.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function xb(a){return a.type=(null!==m.find.attr(a,"type"))+"/"+a.type,a}function yb(a){var b=pb.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function zb(a,b){for(var c,d=0;null!=(c=a[d]);d++)m._data(c,"globalEval",!b||m._data(b[d],"globalEval"))}function Ab(a,b){if(1===b.nodeType&&m.hasData(a)){var c,d,e,f=m._data(a),g=m._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)m.event.add(b,c,h[c][d])}g.data&&(g.data=m.extend({},g.data))}}function Bb(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!k.noCloneEvent&&b[m.expando]){e=m._data(b);for(d in e.events)m.removeEvent(b,d,e.handle);b.removeAttribute(m.expando)}"script"===c&&b.text!==a.text?(xb(b).text=a.text,yb(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),k.html5Clone&&a.innerHTML&&!m.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&W.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:("input"===c||"textarea"===c)&&(b.defaultValue=a.defaultValue)}}m.extend({clone:function(a,b,c){var d,e,f,g,h,i=m.contains(a.ownerDocument,a);if(k.html5Clone||m.isXMLDoc(a)||!gb.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(tb.innerHTML=a.outerHTML,tb.removeChild(f=tb.firstChild)),!(k.noCloneEvent&&k.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||m.isXMLDoc(a)))for(d=ub(f),h=ub(a),g=0;null!=(e=h[g]);++g)d[g]&&Bb(e,d[g]);if(b)if(c)for(h=h||ub(a),d=d||ub(f),g=0;null!=(e=h[g]);g++)Ab(e,d[g]);else Ab(a,f);return d=ub(f,"script"),d.length>0&&zb(d,!i&&ub(a,"script")),d=h=e=null,f},buildFragment:function(a,b,c,d){for(var e,f,g,h,i,j,l,n=a.length,o=db(b),p=[],q=0;n>q;q++)if(f=a[q],f||0===f)if("object"===m.type(f))m.merge(p,f.nodeType?[f]:f);else if(lb.test(f)){h=h||o.appendChild(b.createElement("div")),i=(jb.exec(f)||["",""])[1].toLowerCase(),l=rb[i]||rb._default,h.innerHTML=l[1]+f.replace(ib,"<$1></$2>")+l[2],e=l[0];while(e--)h=h.lastChild;if(!k.leadingWhitespace&&hb.test(f)&&p.push(b.createTextNode(hb.exec(f)[0])),!k.tbody){f="table"!==i||kb.test(f)?"<table>"!==l[1]||kb.test(f)?0:h:h.firstChild,e=f&&f.childNodes.length;while(e--)m.nodeName(j=f.childNodes[e],"tbody")&&!j.childNodes.length&&f.removeChild(j)}m.merge(p,h.childNodes),h.textContent="";while(h.firstChild)h.removeChild(h.firstChild);h=o.lastChild}else p.push(b.createTextNode(f));h&&o.removeChild(h),k.appendChecked||m.grep(ub(p,"input"),vb),q=0;while(f=p[q++])if((!d||-1===m.inArray(f,d))&&(g=m.contains(f.ownerDocument,f),h=ub(o.appendChild(f),"script"),g&&zb(h),c)){e=0;while(f=h[e++])ob.test(f.type||"")&&c.push(f)}return h=null,o},cleanData:function(a,b){for(var d,e,f,g,h=0,i=m.expando,j=m.cache,l=k.deleteExpando,n=m.event.special;null!=(d=a[h]);h++)if((b||m.acceptData(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)n[e]?m.event.remove(d,e):m.removeEvent(d,e,g.handle);j[f]&&(delete j[f],l?delete d[i]:typeof d.removeAttribute!==K?d.removeAttribute(i):d[i]=null,c.push(f))}}}),m.fn.extend({text:function(a){return V(this,function(a){return void 0===a?m.text(this):this.empty().append((this[0]&&this[0].ownerDocument||y).createTextNode(a))},null,a,arguments.length)},append:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.appendChild(a)}})},prepend:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},remove:function(a,b){for(var c,d=a?m.filter(a,this):this,e=0;null!=(c=d[e]);e++)b||1!==c.nodeType||m.cleanData(ub(c)),c.parentNode&&(b&&m.contains(c.ownerDocument,c)&&zb(ub(c,"script")),c.parentNode.removeChild(c));return this},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&m.cleanData(ub(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&m.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return m.clone(this,a,b)})},html:function(a){return V(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(fb,""):void 0;if(!("string"!=typeof a||mb.test(a)||!k.htmlSerialize&&gb.test(a)||!k.leadingWhitespace&&hb.test(a)||rb[(jb.exec(a)||["",""])[1].toLowerCase()])){a=a.replace(ib,"<$1></$2>");try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(m.cleanData(ub(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=arguments[0];return this.domManip(arguments,function(b){a=this.parentNode,m.cleanData(ub(this)),a&&a.replaceChild(b,this)}),a&&(a.length||a.nodeType)?this:this.remove()},detach:function(a){return this.remove(a,!0)},domManip:function(a,b){a=e.apply([],a);var c,d,f,g,h,i,j=0,l=this.length,n=this,o=l-1,p=a[0],q=m.isFunction(p);if(q||l>1&&"string"==typeof p&&!k.checkClone&&nb.test(p))return this.each(function(c){var d=n.eq(c);q&&(a[0]=p.call(this,c,d.html())),d.domManip(a,b)});if(l&&(i=m.buildFragment(a,this[0].ownerDocument,!1,this),c=i.firstChild,1===i.childNodes.length&&(i=c),c)){for(g=m.map(ub(i,"script"),xb),f=g.length;l>j;j++)d=i,j!==o&&(d=m.clone(d,!0,!0),f&&m.merge(g,ub(d,"script"))),b.call(this[j],d,j);if(f)for(h=g[g.length-1].ownerDocument,m.map(g,yb),j=0;f>j;j++)d=g[j],ob.test(d.type||"")&&!m._data(d,"globalEval")&&m.contains(h,d)&&(d.src?m._evalUrl&&m._evalUrl(d.src):m.globalEval((d.text||d.textContent||d.innerHTML||"").replace(qb,"")));i=c=null}return this}}),m.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){m.fn[a]=function(a){for(var c,d=0,e=[],g=m(a),h=g.length-1;h>=d;d++)c=d===h?this:this.clone(!0),m(g[d])[b](c),f.apply(e,c.get());return this.pushStack(e)}});var Cb,Db={};function Eb(b,c){var d,e=m(c.createElement(b)).appendTo(c.body),f=a.getDefaultComputedStyle&&(d=a.getDefaultComputedStyle(e[0]))?d.display:m.css(e[0],"display");return e.detach(),f}function Fb(a){var b=y,c=Db[a];return c||(c=Eb(a,b),"none"!==c&&c||(Cb=(Cb||m("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Cb[0].contentWindow||Cb[0].contentDocument).document,b.write(),b.close(),c=Eb(a,b),Cb.detach()),Db[a]=c),c}!function(){var a;k.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,d;return c=y.getElementsByTagName("body")[0],c&&c.style?(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),typeof b.style.zoom!==K&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(y.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(d),a):void 0}}();var Gb=/^margin/,Hb=new RegExp("^("+S+")(?!px)[a-z%]+$","i"),Ib,Jb,Kb=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ib=function(a){return a.ownerDocument.defaultView.getComputedStyle(a,null)},Jb=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ib(a),g=c?c.getPropertyValue(b)||c[b]:void 0,c&&(""!==g||m.contains(a.ownerDocument,a)||(g=m.style(a,b)),Hb.test(g)&&Gb.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f)),void 0===g?g:g+""}):y.documentElement.currentStyle&&(Ib=function(a){return a.currentStyle},Jb=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ib(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Hb.test(g)&&!Kb.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Lb(a,b){return{get:function(){var c=a();if(null!=c)return c?void delete this.get:(this.get=b).apply(this,arguments)}}}!function(){var b,c,d,e,f,g,h;if(b=y.createElement("div"),b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",d=b.getElementsByTagName("a")[0],c=d&&d.style){c.cssText="float:left;opacity:.5",k.opacity="0.5"===c.opacity,k.cssFloat=!!c.cssFloat,b.style.backgroundClip="content-box",b.cloneNode(!0).style.backgroundClip="",k.clearCloneStyle="content-box"===b.style.backgroundClip,k.boxSizing=""===c.boxSizing||""===c.MozBoxSizing||""===c.WebkitBoxSizing,m.extend(k,{reliableHiddenOffsets:function(){return null==g&&i(),g},boxSizingReliable:function(){return null==f&&i(),f},pixelPosition:function(){return null==e&&i(),e},reliableMarginRight:function(){return null==h&&i(),h}});function i(){var b,c,d,i;c=y.getElementsByTagName("body")[0],c&&c.style&&(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),b.style.cssText="-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;display:block;margin-top:1%;top:1%;border:1px;padding:1px;width:4px;position:absolute",e=f=!1,h=!0,a.getComputedStyle&&(e="1%"!==(a.getComputedStyle(b,null)||{}).top,f="4px"===(a.getComputedStyle(b,null)||{width:"4px"}).width,i=b.appendChild(y.createElement("div")),i.style.cssText=b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",i.style.marginRight=i.style.width="0",b.style.width="1px",h=!parseFloat((a.getComputedStyle(i,null)||{}).marginRight)),b.innerHTML="<table><tr><td></td><td>t</td></tr></table>",i=b.getElementsByTagName("td"),i[0].style.cssText="margin:0;border:0;padding:0;display:none",g=0===i[0].offsetHeight,g&&(i[0].style.display="",i[1].style.display="none",g=0===i[0].offsetHeight),c.removeChild(d))}}}(),m.swap=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e};var Mb=/alpha\([^)]*\)/i,Nb=/opacity\s*=\s*([^)]*)/,Ob=/^(none|table(?!-c[ea]).+)/,Pb=new RegExp("^("+S+")(.*)$","i"),Qb=new RegExp("^([+-])=("+S+")","i"),Rb={position:"absolute",visibility:"hidden",display:"block"},Sb={letterSpacing:"0",fontWeight:"400"},Tb=["Webkit","O","Moz","ms"];function Ub(a,b){if(b in a)return b;var c=b.charAt(0).toUpperCase()+b.slice(1),d=b,e=Tb.length;while(e--)if(b=Tb[e]+c,b in a)return b;return d}function Vb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=m._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&U(d)&&(f[g]=m._data(d,"olddisplay",Fb(d.nodeName)))):(e=U(d),(c&&"none"!==c||!e)&&m._data(d,"olddisplay",e?c:m.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function Wb(a,b,c){var d=Pb.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function Xb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=m.css(a,c+T[f],!0,e)),d?("content"===c&&(g-=m.css(a,"padding"+T[f],!0,e)),"margin"!==c&&(g-=m.css(a,"border"+T[f]+"Width",!0,e))):(g+=m.css(a,"padding"+T[f],!0,e),"padding"!==c&&(g+=m.css(a,"border"+T[f]+"Width",!0,e)));return g}function Yb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ib(a),g=k.boxSizing&&"border-box"===m.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Jb(a,b,f),(0>e||null==e)&&(e=a.style[b]),Hb.test(e))return e;d=g&&(k.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+Xb(a,b,c||(g?"border":"content"),d,f)+"px"}m.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Jb(a,"opacity");return""===c?"1":c}}}},cssNumber:{columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":k.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=m.camelCase(b),i=a.style;if(b=m.cssProps[h]||(m.cssProps[h]=Ub(i,h)),g=m.cssHooks[b]||m.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=Qb.exec(c))&&(c=(e[1]+1)*e[2]+parseFloat(m.css(a,b)),f="number"),null!=c&&c===c&&("number"!==f||m.cssNumber[h]||(c+="px"),k.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=m.camelCase(b);return b=m.cssProps[h]||(m.cssProps[h]=Ub(a.style,h)),g=m.cssHooks[b]||m.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Jb(a,b,d)),"normal"===f&&b in Sb&&(f=Sb[b]),""===c||c?(e=parseFloat(f),c===!0||m.isNumeric(e)?e||0:f):f}}),m.each(["height","width"],function(a,b){m.cssHooks[b]={get:function(a,c,d){return c?Ob.test(m.css(a,"display"))&&0===a.offsetWidth?m.swap(a,Rb,function(){return Yb(a,b,d)}):Yb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ib(a);return Wb(a,c,d?Xb(a,b,d,k.boxSizing&&"border-box"===m.css(a,"boxSizing",!1,e),e):0)}}}),k.opacity||(m.cssHooks.opacity={get:function(a,b){return Nb.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=m.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===m.trim(f.replace(Mb,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Mb.test(f)?f.replace(Mb,e):f+" "+e)}}),m.cssHooks.marginRight=Lb(k.reliableMarginRight,function(a,b){return b?m.swap(a,{display:"inline-block"},Jb,[a,"marginRight"]):void 0}),m.each({margin:"",padding:"",border:"Width"},function(a,b){m.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+T[d]+b]=f[d]||f[d-2]||f[0];return e}},Gb.test(a)||(m.cssHooks[a+b].set=Wb)}),m.fn.extend({css:function(a,b){return V(this,function(a,b,c){var d,e,f={},g=0;if(m.isArray(b)){for(d=Ib(a),e=b.length;e>g;g++)f[b[g]]=m.css(a,b[g],!1,d);return f}return void 0!==c?m.style(a,b,c):m.css(a,b)},a,b,arguments.length>1)},show:function(){return Vb(this,!0)},hide:function(){return Vb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){U(this)?m(this).show():m(this).hide()})}});function Zb(a,b,c,d,e){return new Zb.prototype.init(a,b,c,d,e)}m.Tween=Zb,Zb.prototype={constructor:Zb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||"swing",this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(m.cssNumber[c]?"":"px")
},cur:function(){var a=Zb.propHooks[this.prop];return a&&a.get?a.get(this):Zb.propHooks._default.get(this)},run:function(a){var b,c=Zb.propHooks[this.prop];return this.pos=b=this.options.duration?m.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):Zb.propHooks._default.set(this),this}},Zb.prototype.init.prototype=Zb.prototype,Zb.propHooks={_default:{get:function(a){var b;return null==a.elem[a.prop]||a.elem.style&&null!=a.elem.style[a.prop]?(b=m.css(a.elem,a.prop,""),b&&"auto"!==b?b:0):a.elem[a.prop]},set:function(a){m.fx.step[a.prop]?m.fx.step[a.prop](a):a.elem.style&&(null!=a.elem.style[m.cssProps[a.prop]]||m.cssHooks[a.prop])?m.style(a.elem,a.prop,a.now+a.unit):a.elem[a.prop]=a.now}}},Zb.propHooks.scrollTop=Zb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},m.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2}},m.fx=Zb.prototype.init,m.fx.step={};var $b,_b,ac=/^(?:toggle|show|hide)$/,bc=new RegExp("^(?:([+-])=|)("+S+")([a-z%]*)$","i"),cc=/queueHooks$/,dc=[ic],ec={"*":[function(a,b){var c=this.createTween(a,b),d=c.cur(),e=bc.exec(b),f=e&&e[3]||(m.cssNumber[a]?"":"px"),g=(m.cssNumber[a]||"px"!==f&&+d)&&bc.exec(m.css(c.elem,a)),h=1,i=20;if(g&&g[3]!==f){f=f||g[3],e=e||[],g=+d||1;do h=h||".5",g/=h,m.style(c.elem,a,g+f);while(h!==(h=c.cur()/d)&&1!==h&&--i)}return e&&(g=c.start=+g||+d||0,c.unit=f,c.end=e[1]?g+(e[1]+1)*e[2]:+e[2]),c}]};function fc(){return setTimeout(function(){$b=void 0}),$b=m.now()}function gc(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=T[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function hc(a,b,c){for(var d,e=(ec[b]||[]).concat(ec["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ic(a,b,c){var d,e,f,g,h,i,j,l,n=this,o={},p=a.style,q=a.nodeType&&U(a),r=m._data(a,"fxshow");c.queue||(h=m._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,n.always(function(){n.always(function(){h.unqueued--,m.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=m.css(a,"display"),l="none"===j?m._data(a,"olddisplay")||Fb(a.nodeName):j,"inline"===l&&"none"===m.css(a,"float")&&(k.inlineBlockNeedsLayout&&"inline"!==Fb(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",k.shrinkWrapBlocks()||n.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],ac.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||m.style(a,d)}else j=void 0;if(m.isEmptyObject(o))"inline"===("none"===j?Fb(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=m._data(a,"fxshow",{}),f&&(r.hidden=!q),q?m(a).show():n.done(function(){m(a).hide()}),n.done(function(){var b;m._removeData(a,"fxshow");for(b in o)m.style(a,b,o[b])});for(d in o)g=hc(q?r[d]:0,d,n),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function jc(a,b){var c,d,e,f,g;for(c in a)if(d=m.camelCase(c),e=b[d],f=a[c],m.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=m.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function kc(a,b,c){var d,e,f=0,g=dc.length,h=m.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=$b||fc(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:m.extend({},b),opts:m.extend(!0,{specialEasing:{}},c),originalProperties:b,originalOptions:c,startTime:$b||fc(),duration:c.duration,tweens:[],createTween:function(b,c){var d=m.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?h.resolveWith(a,[j,b]):h.rejectWith(a,[j,b]),this}}),k=j.props;for(jc(k,j.opts.specialEasing);g>f;f++)if(d=dc[f].call(j,a,k,j.opts))return d;return m.map(k,hc,j),m.isFunction(j.opts.start)&&j.opts.start.call(a,j),m.fx.timer(m.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}m.Animation=m.extend(kc,{tweener:function(a,b){m.isFunction(a)?(b=a,a=["*"]):a=a.split(" ");for(var c,d=0,e=a.length;e>d;d++)c=a[d],ec[c]=ec[c]||[],ec[c].unshift(b)},prefilter:function(a,b){b?dc.unshift(a):dc.push(a)}}),m.speed=function(a,b,c){var d=a&&"object"==typeof a?m.extend({},a):{complete:c||!c&&b||m.isFunction(a)&&a,duration:a,easing:c&&b||b&&!m.isFunction(b)&&b};return d.duration=m.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in m.fx.speeds?m.fx.speeds[d.duration]:m.fx.speeds._default,(null==d.queue||d.queue===!0)&&(d.queue="fx"),d.old=d.complete,d.complete=function(){m.isFunction(d.old)&&d.old.call(this),d.queue&&m.dequeue(this,d.queue)},d},m.fn.extend({fadeTo:function(a,b,c,d){return this.filter(U).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=m.isEmptyObject(a),f=m.speed(b,c,d),g=function(){var b=kc(this,m.extend({},a),f);(e||m._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=m.timers,g=m._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&cc.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));(b||!c)&&m.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=m._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=m.timers,g=d?d.length:0;for(c.finish=!0,m.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),m.each(["toggle","show","hide"],function(a,b){var c=m.fn[b];m.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(gc(b,!0),a,d,e)}}),m.each({slideDown:gc("show"),slideUp:gc("hide"),slideToggle:gc("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){m.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),m.timers=[],m.fx.tick=function(){var a,b=m.timers,c=0;for($b=m.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||m.fx.stop(),$b=void 0},m.fx.timer=function(a){m.timers.push(a),a()?m.fx.start():m.timers.pop()},m.fx.interval=13,m.fx.start=function(){_b||(_b=setInterval(m.fx.tick,m.fx.interval))},m.fx.stop=function(){clearInterval(_b),_b=null},m.fx.speeds={slow:600,fast:200,_default:400},m.fn.delay=function(a,b){return a=m.fx?m.fx.speeds[a]||a:a,b=b||"fx",this.queue(b,function(b,c){var d=setTimeout(b,a);c.stop=function(){clearTimeout(d)}})},function(){var a,b,c,d,e;b=y.createElement("div"),b.setAttribute("className","t"),b.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",d=b.getElementsByTagName("a")[0],c=y.createElement("select"),e=c.appendChild(y.createElement("option")),a=b.getElementsByTagName("input")[0],d.style.cssText="top:1px",k.getSetAttribute="t"!==b.className,k.style=/top/.test(d.getAttribute("style")),k.hrefNormalized="/a"===d.getAttribute("href"),k.checkOn=!!a.value,k.optSelected=e.selected,k.enctype=!!y.createElement("form").enctype,c.disabled=!0,k.optDisabled=!e.disabled,a=y.createElement("input"),a.setAttribute("value",""),k.input=""===a.getAttribute("value"),a.value="t",a.setAttribute("type","radio"),k.radioValue="t"===a.value}();var lc=/\r/g;m.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=m.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,m(this).val()):a,null==e?e="":"number"==typeof e?e+="":m.isArray(e)&&(e=m.map(e,function(a){return null==a?"":a+""})),b=m.valHooks[this.type]||m.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=m.valHooks[e.type]||m.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(lc,""):null==c?"":c)}}}),m.extend({valHooks:{option:{get:function(a){var b=m.find.attr(a,"value");return null!=b?b:m.trim(m.text(a))}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],!(!c.selected&&i!==e||(k.optDisabled?c.disabled:null!==c.getAttribute("disabled"))||c.parentNode.disabled&&m.nodeName(c.parentNode,"optgroup"))){if(b=m(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=m.makeArray(b),g=e.length;while(g--)if(d=e[g],m.inArray(m.valHooks.option.get(d),f)>=0)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),m.each(["radio","checkbox"],function(){m.valHooks[this]={set:function(a,b){return m.isArray(b)?a.checked=m.inArray(m(a).val(),b)>=0:void 0}},k.checkOn||(m.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var mc,nc,oc=m.expr.attrHandle,pc=/^(?:checked|selected)$/i,qc=k.getSetAttribute,rc=k.input;m.fn.extend({attr:function(a,b){return V(this,m.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){m.removeAttr(this,a)})}}),m.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(a&&3!==f&&8!==f&&2!==f)return typeof a.getAttribute===K?m.prop(a,b,c):(1===f&&m.isXMLDoc(a)||(b=b.toLowerCase(),d=m.attrHooks[b]||(m.expr.match.bool.test(b)?nc:mc)),void 0===c?d&&"get"in d&&null!==(e=d.get(a,b))?e:(e=m.find.attr(a,b),null==e?void 0:e):null!==c?d&&"set"in d&&void 0!==(e=d.set(a,c,b))?e:(a.setAttribute(b,c+""),c):void m.removeAttr(a,b))},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(E);if(f&&1===a.nodeType)while(c=f[e++])d=m.propFix[c]||c,m.expr.match.bool.test(c)?rc&&qc||!pc.test(c)?a[d]=!1:a[m.camelCase("default-"+c)]=a[d]=!1:m.attr(a,c,""),a.removeAttribute(qc?c:d)},attrHooks:{type:{set:function(a,b){if(!k.radioValue&&"radio"===b&&m.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}}}),nc={set:function(a,b,c){return b===!1?m.removeAttr(a,c):rc&&qc||!pc.test(c)?a.setAttribute(!qc&&m.propFix[c]||c,c):a[m.camelCase("default-"+c)]=a[c]=!0,c}},m.each(m.expr.match.bool.source.match(/\w+/g),function(a,b){var c=oc[b]||m.find.attr;oc[b]=rc&&qc||!pc.test(b)?function(a,b,d){var e,f;return d||(f=oc[b],oc[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,oc[b]=f),e}:function(a,b,c){return c?void 0:a[m.camelCase("default-"+b)]?b.toLowerCase():null}}),rc&&qc||(m.attrHooks.value={set:function(a,b,c){return m.nodeName(a,"input")?void(a.defaultValue=b):mc&&mc.set(a,b,c)}}),qc||(mc={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},oc.id=oc.name=oc.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},m.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:mc.set},m.attrHooks.contenteditable={set:function(a,b,c){mc.set(a,""===b?!1:b,c)}},m.each(["width","height"],function(a,b){m.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),k.style||(m.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var sc=/^(?:input|select|textarea|button|object)$/i,tc=/^(?:a|area)$/i;m.fn.extend({prop:function(a,b){return V(this,m.prop,a,b,arguments.length>1)},removeProp:function(a){return a=m.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),m.extend({propFix:{"for":"htmlFor","class":"className"},prop:function(a,b,c){var d,e,f,g=a.nodeType;if(a&&3!==g&&8!==g&&2!==g)return f=1!==g||!m.isXMLDoc(a),f&&(b=m.propFix[b]||b,e=m.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=m.find.attr(a,"tabindex");return b?parseInt(b,10):sc.test(a.nodeName)||tc.test(a.nodeName)&&a.href?0:-1}}}}),k.hrefNormalized||m.each(["href","src"],function(a,b){m.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),k.optSelected||(m.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null}}),m.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){m.propFix[this.toLowerCase()]=this}),k.enctype||(m.propFix.enctype="encoding");var uc=/[\t\r\n\f]/g;m.fn.extend({addClass:function(a){var b,c,d,e,f,g,h=0,i=this.length,j="string"==typeof a&&a;if(m.isFunction(a))return this.each(function(b){m(this).addClass(a.call(this,b,this.className))});if(j)for(b=(a||"").match(E)||[];i>h;h++)if(c=this[h],d=1===c.nodeType&&(c.className?(" "+c.className+" ").replace(uc," "):" ")){f=0;while(e=b[f++])d.indexOf(" "+e+" ")<0&&(d+=e+" ");g=m.trim(d),c.className!==g&&(c.className=g)}return this},removeClass:function(a){var b,c,d,e,f,g,h=0,i=this.length,j=0===arguments.length||"string"==typeof a&&a;if(m.isFunction(a))return this.each(function(b){m(this).removeClass(a.call(this,b,this.className))});if(j)for(b=(a||"").match(E)||[];i>h;h++)if(c=this[h],d=1===c.nodeType&&(c.className?(" "+c.className+" ").replace(uc," "):"")){f=0;while(e=b[f++])while(d.indexOf(" "+e+" ")>=0)d=d.replace(" "+e+" "," ");g=a?m.trim(d):"",c.className!==g&&(c.className=g)}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):this.each(m.isFunction(a)?function(c){m(this).toggleClass(a.call(this,c,this.className,b),b)}:function(){if("string"===c){var b,d=0,e=m(this),f=a.match(E)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else(c===K||"boolean"===c)&&(this.className&&m._data(this,"__className__",this.className),this.className=this.className||a===!1?"":m._data(this,"__className__")||"")})},hasClass:function(a){for(var b=" "+a+" ",c=0,d=this.length;d>c;c++)if(1===this[c].nodeType&&(" "+this[c].className+" ").replace(uc," ").indexOf(b)>=0)return!0;return!1}}),m.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){m.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),m.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)},bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}});var vc=m.now(),wc=/\?/,xc=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;m.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=m.trim(b+"");return e&&!m.trim(e.replace(xc,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():m.error("Invalid JSON: "+b)},m.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new DOMParser,c=d.parseFromString(b,"text/xml")):(c=new ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||m.error("Invalid XML: "+b),c};var yc,zc,Ac=/#.*$/,Bc=/([?&])_=[^&]*/,Cc=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Dc=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Ec=/^(?:GET|HEAD)$/,Fc=/^\/\//,Gc=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Hc={},Ic={},Jc="*/".concat("*");try{zc=location.href}catch(Kc){zc=y.createElement("a"),zc.href="",zc=zc.href}yc=Gc.exec(zc.toLowerCase())||[];function Lc(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(E)||[];if(m.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Mc(a,b,c,d){var e={},f=a===Ic;function g(h){var i;return e[h]=!0,m.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Nc(a,b){var c,d,e=m.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&m.extend(!0,a,c),a}function Oc(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Pc(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}m.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:zc,type:"GET",isLocal:Dc.test(yc[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Jc,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/xml/,html:/html/,json:/json/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":m.parseJSON,"text xml":m.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Nc(Nc(a,m.ajaxSettings),b):Nc(m.ajaxSettings,a)},ajaxPrefilter:Lc(Hc),ajaxTransport:Lc(Ic),ajax:function(a,b){"object"==typeof a&&(b=a,a=void 0),b=b||{};var c,d,e,f,g,h,i,j,k=m.ajaxSetup({},b),l=k.context||k,n=k.context&&(l.nodeType||l.jquery)?m(l):m.event,o=m.Deferred(),p=m.Callbacks("once memory"),q=k.statusCode||{},r={},s={},t=0,u="canceled",v={readyState:0,getResponseHeader:function(a){var b;if(2===t){if(!j){j={};while(b=Cc.exec(f))j[b[1].toLowerCase()]=b[2]}b=j[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===t?f:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return t||(a=s[c]=s[c]||a,r[a]=b),this},overrideMimeType:function(a){return t||(k.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>t)for(b in a)q[b]=[q[b],a[b]];else v.always(a[v.status]);return this},abort:function(a){var b=a||u;return i&&i.abort(b),x(0,b),this}};if(o.promise(v).complete=p.add,v.success=v.done,v.error=v.fail,k.url=((a||k.url||zc)+"").replace(Ac,"").replace(Fc,yc[1]+"//"),k.type=b.method||b.type||k.method||k.type,k.dataTypes=m.trim(k.dataType||"*").toLowerCase().match(E)||[""],null==k.crossDomain&&(c=Gc.exec(k.url.toLowerCase()),k.crossDomain=!(!c||c[1]===yc[1]&&c[2]===yc[2]&&(c[3]||("http:"===c[1]?"80":"443"))===(yc[3]||("http:"===yc[1]?"80":"443")))),k.data&&k.processData&&"string"!=typeof k.data&&(k.data=m.param(k.data,k.traditional)),Mc(Hc,k,b,v),2===t)return v;h=k.global,h&&0===m.active++&&m.event.trigger("ajaxStart"),k.type=k.type.toUpperCase(),k.hasContent=!Ec.test(k.type),e=k.url,k.hasContent||(k.data&&(e=k.url+=(wc.test(e)?"&":"?")+k.data,delete k.data),k.cache===!1&&(k.url=Bc.test(e)?e.replace(Bc,"$1_="+vc++):e+(wc.test(e)?"&":"?")+"_="+vc++)),k.ifModified&&(m.lastModified[e]&&v.setRequestHeader("If-Modified-Since",m.lastModified[e]),m.etag[e]&&v.setRequestHeader("If-None-Match",m.etag[e])),(k.data&&k.hasContent&&k.contentType!==!1||b.contentType)&&v.setRequestHeader("Content-Type",k.contentType),v.setRequestHeader("Accept",k.dataTypes[0]&&k.accepts[k.dataTypes[0]]?k.accepts[k.dataTypes[0]]+("*"!==k.dataTypes[0]?", "+Jc+"; q=0.01":""):k.accepts["*"]);for(d in k.headers)v.setRequestHeader(d,k.headers[d]);if(k.beforeSend&&(k.beforeSend.call(l,v,k)===!1||2===t))return v.abort();u="abort";for(d in{success:1,error:1,complete:1})v[d](k[d]);if(i=Mc(Ic,k,b,v)){v.readyState=1,h&&n.trigger("ajaxSend",[v,k]),k.async&&k.timeout>0&&(g=setTimeout(function(){v.abort("timeout")},k.timeout));try{t=1,i.send(r,x)}catch(w){if(!(2>t))throw w;x(-1,w)}}else x(-1,"No Transport");function x(a,b,c,d){var j,r,s,u,w,x=b;2!==t&&(t=2,g&&clearTimeout(g),i=void 0,f=d||"",v.readyState=a>0?4:0,j=a>=200&&300>a||304===a,c&&(u=Oc(k,v,c)),u=Pc(k,u,v,j),j?(k.ifModified&&(w=v.getResponseHeader("Last-Modified"),w&&(m.lastModified[e]=w),w=v.getResponseHeader("etag"),w&&(m.etag[e]=w)),204===a||"HEAD"===k.type?x="nocontent":304===a?x="notmodified":(x=u.state,r=u.data,s=u.error,j=!s)):(s=x,(a||!x)&&(x="error",0>a&&(a=0))),v.status=a,v.statusText=(b||x)+"",j?o.resolveWith(l,[r,x,v]):o.rejectWith(l,[v,x,s]),v.statusCode(q),q=void 0,h&&n.trigger(j?"ajaxSuccess":"ajaxError",[v,k,j?r:s]),p.fireWith(l,[v,x]),h&&(n.trigger("ajaxComplete",[v,k]),--m.active||m.event.trigger("ajaxStop")))}return v},getJSON:function(a,b,c){return m.get(a,b,c,"json")},getScript:function(a,b){return m.get(a,void 0,b,"script")}}),m.each(["get","post"],function(a,b){m[b]=function(a,c,d,e){return m.isFunction(c)&&(e=e||d,d=c,c=void 0),m.ajax({url:a,type:b,dataType:e,data:c,success:d})}}),m.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){m.fn[b]=function(a){return this.on(b,a)}}),m._evalUrl=function(a){return m.ajax({url:a,type:"GET",dataType:"script",async:!1,global:!1,"throws":!0})},m.fn.extend({wrapAll:function(a){if(m.isFunction(a))return this.each(function(b){m(this).wrapAll(a.call(this,b))});if(this[0]){var b=m(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return this.each(m.isFunction(a)?function(b){m(this).wrapInner(a.call(this,b))}:function(){var b=m(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=m.isFunction(a);return this.each(function(c){m(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){m.nodeName(this,"body")||m(this).replaceWith(this.childNodes)}).end()}}),m.expr.filters.hidden=function(a){return a.offsetWidth<=0&&a.offsetHeight<=0||!k.reliableHiddenOffsets()&&"none"===(a.style&&a.style.display||m.css(a,"display"))},m.expr.filters.visible=function(a){return!m.expr.filters.hidden(a)};var Qc=/%20/g,Rc=/\[\]$/,Sc=/\r?\n/g,Tc=/^(?:submit|button|image|reset|file)$/i,Uc=/^(?:input|select|textarea|keygen)/i;function Vc(a,b,c,d){var e;if(m.isArray(b))m.each(b,function(b,e){c||Rc.test(a)?d(a,e):Vc(a+"["+("object"==typeof e?b:"")+"]",e,c,d)});else if(c||"object"!==m.type(b))d(a,b);else for(e in b)Vc(a+"["+e+"]",b[e],c,d)}m.param=function(a,b){var c,d=[],e=function(a,b){b=m.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=m.ajaxSettings&&m.ajaxSettings.traditional),m.isArray(a)||a.jquery&&!m.isPlainObject(a))m.each(a,function(){e(this.name,this.value)});else for(c in a)Vc(c,a[c],b,e);return d.join("&").replace(Qc,"+")},m.fn.extend({serialize:function(){return m.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=m.prop(this,"elements");return a?m.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!m(this).is(":disabled")&&Uc.test(this.nodeName)&&!Tc.test(a)&&(this.checked||!W.test(a))}).map(function(a,b){var c=m(this).val();return null==c?null:m.isArray(c)?m.map(c,function(a){return{name:b.name,value:a.replace(Sc,"\r\n")}}):{name:b.name,value:c.replace(Sc,"\r\n")}}).get()}}),m.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return!this.isLocal&&/^(get|post|head|put|delete|options)$/i.test(this.type)&&Zc()||$c()}:Zc;var Wc=0,Xc={},Yc=m.ajaxSettings.xhr();a.ActiveXObject&&m(a).on("unload",function(){for(var a in Xc)Xc[a](void 0,!0)}),k.cors=!!Yc&&"withCredentials"in Yc,Yc=k.ajax=!!Yc,Yc&&m.ajaxTransport(function(a){if(!a.crossDomain||k.cors){var b;return{send:function(c,d){var e,f=a.xhr(),g=++Wc;if(f.open(a.type,a.url,a.async,a.username,a.password),a.xhrFields)for(e in a.xhrFields)f[e]=a.xhrFields[e];a.mimeType&&f.overrideMimeType&&f.overrideMimeType(a.mimeType),a.crossDomain||c["X-Requested-With"]||(c["X-Requested-With"]="XMLHttpRequest");for(e in c)void 0!==c[e]&&f.setRequestHeader(e,c[e]+"");f.send(a.hasContent&&a.data||null),b=function(c,e){var h,i,j;if(b&&(e||4===f.readyState))if(delete Xc[g],b=void 0,f.onreadystatechange=m.noop,e)4!==f.readyState&&f.abort();else{j={},h=f.status,"string"==typeof f.responseText&&(j.text=f.responseText);try{i=f.statusText}catch(k){i=""}h||!a.isLocal||a.crossDomain?1223===h&&(h=204):h=j.text?200:404}j&&d(h,i,j,f.getAllResponseHeaders())},a.async?4===f.readyState?setTimeout(b):f.onreadystatechange=Xc[g]=b:b()},abort:function(){b&&b(void 0,!0)}}}});function Zc(){try{return new a.XMLHttpRequest}catch(b){}}function $c(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}m.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/(?:java|ecma)script/},converters:{"text script":function(a){return m.globalEval(a),a}}}),m.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),m.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=y.head||m("head")[0]||y.documentElement;return{send:function(d,e){b=y.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||e(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var _c=[],ad=/(=)\?(?=&|$)|\?\?/;m.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=_c.pop()||m.expando+"_"+vc++;return this[a]=!0,a}}),m.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(ad.test(b.url)?"url":"string"==typeof b.data&&!(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&ad.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=m.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(ad,"$1"+e):b.jsonp!==!1&&(b.url+=(wc.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||m.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,_c.push(e)),g&&m.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),m.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||y;var d=u.exec(a),e=!c&&[];return d?[b.createElement(d[1])]:(d=m.buildFragment([a],b,e),e&&e.length&&m(e).remove(),m.merge([],d.childNodes))};var bd=m.fn.load;m.fn.load=function(a,b,c){if("string"!=typeof a&&bd)return bd.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>=0&&(d=m.trim(a.slice(h,a.length)),a=a.slice(0,h)),m.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(f="POST"),g.length>0&&m.ajax({url:a,type:f,dataType:"html",data:b}).done(function(a){e=arguments,g.html(d?m("<div>").append(m.parseHTML(a)).find(d):a)}).complete(c&&function(a,b){g.each(c,e||[a.responseText,b,a])}),this},m.expr.filters.animated=function(a){return m.grep(m.timers,function(b){return a===b.elem}).length};var cd=a.document.documentElement;function dd(a){return m.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}m.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=m.css(a,"position"),l=m(a),n={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=m.css(a,"top"),i=m.css(a,"left"),j=("absolute"===k||"fixed"===k)&&m.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),m.isFunction(b)&&(b=b.call(a,c,h)),null!=b.top&&(n.top=b.top-h.top+g),null!=b.left&&(n.left=b.left-h.left+e),"using"in b?b.using.call(a,n):l.css(n)}},m.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){m.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,m.contains(b,e)?(typeof e.getBoundingClientRect!==K&&(d=e.getBoundingClientRect()),c=dd(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===m.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),m.nodeName(a[0],"html")||(c=a.offset()),c.top+=m.css(a[0],"borderTopWidth",!0),c.left+=m.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-m.css(d,"marginTop",!0),left:b.left-c.left-m.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent||cd;while(a&&!m.nodeName(a,"html")&&"static"===m.css(a,"position"))a=a.offsetParent;return a||cd})}}),m.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);m.fn[a]=function(d){return V(this,function(a,d,e){var f=dd(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?m(f).scrollLeft():e,c?e:m(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),m.each(["top","left"],function(a,b){m.cssHooks[b]=Lb(k.pixelPosition,function(a,c){return c?(c=Jb(a,b),Hb.test(c)?m(a).position()[b]+"px":c):void 0})}),m.each({Height:"height",Width:"width"},function(a,b){m.each({padding:"inner"+a,content:b,"":"outer"+a},function(c,d){m.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return V(this,function(b,c,d){var e;return m.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?m.css(b,c,g):m.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),m.fn.size=function(){return this.length},m.fn.andSelf=m.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return m});var ed=a.jQuery,fd=a.$;return m.noConflict=function(b){return a.$===m&&(a.$=fd),b&&a.jQuery===m&&(a.jQuery=ed),m},typeof b===K&&(a.jQuery=a.$=m),m});
(function($){var Node,Tree,methods;Node=(function(){function Node(row,tree,settings){var parentId;this.row=row;this.tree=tree;this.settings=settings;this.id=this.row.data(this.settings.nodeIdAttr);parentId=this.row.data(this.settings.parentIdAttr);if(parentId!=null&&parentId!=="")this.parentId=parentId;this.treeCell=$(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=$(this.settings.expanderTemplate);this.indenter=$(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter);}Node.prototype.addChild=function(child){return this.children.push(child);};Node.prototype.ancestors=function(){var ancestors,node;node=this;ancestors=[];while(node=node.parentNode())ancestors.push(node);return ancestors;};Node.prototype.collapse=function(){if(this.collapsed())return this;this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null)this.settings.onNodeCollapse.apply(this);return this;};Node.prototype.collapsed=function(){return this.row.hasClass("collapsed");};Node.prototype.expand=function(){if(this.expanded())return this;this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null)this.settings.onNodeExpand.apply(this);if($(this.row).is(":visible"))this._showChildren();this.expander.attr("title",this.settings.stringCollapse);return this;};Node.prototype.expanded=function(){return this.row.hasClass("expanded");};Node.prototype.hide=function(){this._hideChildren();this.row.hide();return this;};Node.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true)return true;else return false;};Node.prototype.updateBranchLeafClass=function(){this.row.removeClass('branch');this.row.removeClass('leaf');this.row.addClass(this.isBranchNode()?'branch':'leaf');};Node.prototype.level=function(){return this.ancestors().length;};Node.prototype.parentNode=function(){if(this.parentId!=null)return this.tree[this.parentId];else return null;};Node.prototype.removeChild=function(child){var i=$.inArray(child,this.children);return this.children.splice(i,1);};Node.prototype.render=function(){var handler,settings=this.settings,target;if(settings.expandable===true&&this.isBranchNode()){handler=function(e){$(this).parents("table").treetable("node",$(this).parents("tr").data(settings.nodeIdAttr)).toggle();return e.preventDefault();};this.indenter.html(this.expander);target=settings.clickableNodeNames===true?this.treeCell:this.expander;target.off("click.treetable").on("click.treetable",handler);target.off("keydown.treetable").on("keydown.treetable",function(e){if(e.keyCode==13)handler.apply(this,[e]);});}this.indenter[0].style.paddingLeft=""+(this.level()*settings.indent)+"px";return this;};Node.prototype.reveal=function(){if(this.parentId!=null)this.parentNode().reveal();return this.expand();};Node.prototype.setParent=function(node){if(this.parentId!=null)this.tree[this.parentId].removeChild(this);this.parentId=node.id;this.row.data(this.settings.parentIdAttr,node.id);return node.addChild(this);};Node.prototype.show=function(){if(!this.initialized)this._initialize();this.row.show();if(this.expanded())this._showChildren();return this;};Node.prototype.toggle=function(){if(this.expanded())this.collapse();else this.expand();return this;};Node.prototype._hideChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.hide());}return _results;};Node.prototype._initialize=function(){var settings=this.settings;this.render();if(settings.expandable===true&&settings.initialState==="collapsed")this.collapse();else this.expand();if(settings.onNodeInitialized!=null)settings.onNodeInitialized.apply(this);return this.initialized=true;};Node.prototype._showChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.show());}return _results;};return Node;})();Tree=(function(){function Tree(table,settings){this.table=table;this.settings=settings;this.tree={};this.nodes=[];this.roots=[];}Tree.prototype.collapseAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.collapse());}return _results;};Tree.prototype.expandAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.expand());}return _results;};Tree.prototype.findLastNode=function(node){if(node.children.length>0)return this.findLastNode(node.children[node.children.length-1]);else return node;};Tree.prototype.loadRows=function(rows){var node,row,i;if(rows!=null)for(i=0;i<rows.length;i++){row=$(rows[i]);if(row.data(this.settings.nodeIdAttr)!=null){node=new Node(row,this.tree,this.settings);this.nodes.push(node);this.tree[node.id]=node;if(node.parentId!=null&&this.tree[node.parentId])this.tree[node.parentId].addChild(node);else this.roots.push(node);}}for(i=0;i<this.nodes.length;i++)node=this.nodes[i].updateBranchLeafClass();return this;};Tree.prototype.move=function(node,destination){var nodeParent=node.parentNode();if(node!==destination&&destination.id!==node.parentId&&$.inArray(node,destination.ancestors())===-1){node.setParent(destination);this._moveRows(node,destination);if(node.parentNode().children.length===1)node.parentNode().render();}if(nodeParent)nodeParent.updateBranchLeafClass();if(node.parentNode())node.parentNode().updateBranchLeafClass();node.updateBranchLeafClass();return this;};Tree.prototype.removeNode=function(node){this.unloadBranch(node);node.row.remove();if(node.parentId!=null)node.parentNode().removeChild(node);delete this.tree[node.id];this.nodes.splice($.inArray(node,this.nodes),1);return this;};Tree.prototype.render=function(){var root,_i,_len,_ref;_ref=this.roots;for(_i=0,_len=_ref.length;_i<_len;_i++){root=_ref[_i];root.show();}return this;};Tree.prototype.sortBranch=function(node,sortFun){node.children.sort(sortFun);this._sortChildRows(node);return this;};Tree.prototype.unloadBranch=function(node){var children=node.children.slice(0),i;for(i=0;i<children.length;i++)this.removeNode(children[i]);node.children=[];node.updateBranchLeafClass();return this;};Tree.prototype._moveRows=function(node,destination){var children=node.children,i;node.row.insertAfter(destination.row);node.render();for(i=children.length-1;i>=0;i--)this._moveRows(children[i],node);};Tree.prototype._sortChildRows=function(parentNode){return this._moveRows(parentNode,parentNode);};return Tree;})();methods={init:function(options,force){var settings;settings=$.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'> </a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},options);return this.each(function(){var el=$(this),tree;if(force||el.data("treetable")===undefined){tree=new Tree(this,settings);tree.loadRows(this.rows).render();el.addClass("treetable").data("treetable",tree);if(settings.onInitialized!=null)settings.onInitialized.apply(tree);}return el;});},destroy:function(){return this.each(function(){return $(this).removeData("treetable").removeClass("treetable");});},collapseAll:function(){this.data("treetable").collapseAll();return this;},collapseNode:function(id){var node=this.data("treetable").tree[id];if(node)node.collapse();else throw new Error("Unknown node '"+id+"'");return this;},expandAll:function(){this.data("treetable").expandAll();return this;},expandNode:function(id){var node=this.data("treetable").tree[id];if(node){if(!node.initialized)node._initialize();node.expand();}else throw new Error("Unknown node '"+id+"'");return this;},loadBranch:function(node,rows){var settings=this.data("treetable").settings,tree=this.data("treetable").tree;rows=$(rows);if(node==null)this.append(rows);else{var lastNode=this.data("treetable").findLastNode(node);rows.insertAfter(lastNode.row);}this.data("treetable").loadRows(rows);rows.filter("tr").each(function(){tree[$(this).data(settings.nodeIdAttr)].show();});if(node!=null)node.render().expand();return this;},move:function(nodeId,destinationId){var destination,node;node=this.data("treetable").tree[nodeId];destination=this.data("treetable").tree[destinationId];this.data("treetable").move(node,destination);return this;},node:function(id){return this.data("treetable").tree[id];},removeNode:function(id){var node=this.data("treetable").tree[id];if(node)this.data("treetable").removeNode(node);else throw new Error("Unknown node '"+id+"'");return this;},reveal:function(id){var node=this.data("treetable").tree[id];if(node)node.reveal();else throw new Error("Unknown node '"+id+"'");return this;},sortBranch:function(node,columnOrFunction){var settings=this.data("treetable").settings,prepValue,sortFun;columnOrFunction=columnOrFunction||settings.column;sortFun=columnOrFunction;if($.isNumeric(columnOrFunction))sortFun=function(a,b){var extractValue,valA,valB;extractValue=function(node){var val=node.row.find("td:eq("+columnOrFunction+")").text();return $.trim(val).toUpperCase();};valA=extractValue(a);valB=extractValue(b);if(valA<valB)return -1;if(valA>valB)return 1;return 0;};this.data("treetable").sortBranch(node,sortFun);return this;},unloadBranch:function(node){this.data("treetable").unloadBranch(node);return this;}};$.fn.treetable=function(method){if(methods[method])return methods[method].apply(this,Array.prototype.slice.call(arguments,1));else if(typeof method==='object'||!method)return methods.init.apply(this,arguments);else return $.error("Method "+method+" does not exist on jQuery.treetable");};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=Node;this.TreeTable.Tree=Tree;})(jQuery);if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(t){"use strict";function e(e){return this.each(function(){var n=t(this),o=n.data("bs.alert");o||n.data("bs.alert",o=new i(this)),"string"==typeof e&&o[e].call(n);});}var n='[data-dismiss="alert"]',i=function(e){t(e).on("click",n,this.close);};i.VERSION="3.2.0",i.prototype.close=function(e){function n(){s.detach().trigger("closed.bs.alert").remove();}var i=t(this),o=i.attr("data-target");o||(o=i.attr("href"),o=o&&o.replace(/.*(?=#[^\s]*$)/,""));var s=t(o);e&&e.preventDefault(),s.length||(s=i.hasClass("alert")?i:i.parent()),s.trigger(e=t.Event("close.bs.alert")),e.isDefaultPrevented()||(s.removeClass("in"),t.support.transition&&s.hasClass("fade")?s.one("bsTransitionEnd",n).emulateTransitionEnd(150):n());};var o=t.fn.alert;t.fn.alert=e,t.fn.alert.Constructor=i,t.fn.alert.noConflict=function(){return t.fn.alert=o,this;},t(document).on("click.bs.alert.data-api",n,i.prototype.close);}(jQuery),+function(t){"use strict";function e(e){e&&3===e.which||(t(o).remove(),t(s).each(function(){var i=n(t(this)),o={relatedTarget:this};i.hasClass("open")&&(i.trigger(e=t.Event("hide.bs.dropdown",o)),e.isDefaultPrevented()||i.removeClass("open").trigger("hidden.bs.dropdown",o));}));}function n(e){var n=e.attr("data-target");n||(n=e.attr("href"),n=n&&/#[A-Za-z]/.test(n)&&n.replace(/.*(?=#[^\s]*$)/,""));var i=n&&t(n);return i&&i.length?i:e.parent();}function i(e){return this.each(function(){var n=t(this),i=n.data("bs.dropdown");i||n.data("bs.dropdown",i=new a(this)),"string"==typeof e&&i[e].call(n);});}var o=".dropdown-backdrop",s='[data-toggle="dropdown"]',a=function(e){t(e).on("click.bs.dropdown",this.toggle);};a.VERSION="3.2.0",a.prototype.toggle=function(i){var o=t(this);if(!o.is(".disabled, :disabled")){var s=n(o),a=s.hasClass("open");if(e(),!a){"ontouchstart" in document.documentElement&&!s.closest(".navbar-nav").length&&t('<div class="dropdown-backdrop"/>').insertAfter(t(this)).on("click",e);var r={relatedTarget:this};if(s.trigger(i=t.Event("show.bs.dropdown",r)),i.isDefaultPrevented())return;o.trigger("focus"),s.toggleClass("open").trigger("shown.bs.dropdown",r);}return !1;}},a.prototype.keydown=function(e){if(/(38|40|27)/.test(e.keyCode)){var i=t(this);if(e.preventDefault(),e.stopPropagation(),!i.is(".disabled, :disabled")){var o=n(i),a=o.hasClass("open");if(!a||a&&27==e.keyCode)return 27==e.which&&o.find(s).trigger("focus"),i.trigger("click");var r=" li:not(.divider):visible a",l=o.find('[role="menu"]'+r+', [role="listbox"]'+r);if(l.length){var d=l.index(l.filter(":focus"));38==e.keyCode&&d>0&&d--,40==e.keyCode&&d<l.length-1&&d++,~d||(d=0),l.eq(d).trigger("focus");}}}};var r=t.fn.dropdown;t.fn.dropdown=i,t.fn.dropdown.Constructor=a,t.fn.dropdown.noConflict=function(){return t.fn.dropdown=r,this;},t(document).on("click.bs.dropdown.data-api",e).on("click.bs.dropdown.data-api",".dropdown form",function(t){t.stopPropagation();}).on("click.bs.dropdown.data-api",s,a.prototype.toggle).on("keydown.bs.dropdown.data-api",s+', [role="menu"], [role="listbox"]',a.prototype.keydown);}(jQuery),+function(t){"use strict";function e(e,i){return this.each(function(){var o=t(this),s=o.data("bs.modal"),a=t.extend({},n.DEFAULTS,o.data(),"object"==typeof e&&e);s||o.data("bs.modal",s=new n(this,a)),"string"==typeof e?s[e](i):a.show&&s.show(i);});}var n=function(e,n){this.options=n,this.$body=t(document.body),this.$element=t(e),this.$backdrop=this.isShown=null,this.scrollbarWidth=0,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,t.proxy(function(){this.$element.trigger("loaded.bs.modal");},this));};n.VERSION="3.2.0",n.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},n.prototype.toggle=function(t){return this.isShown?this.hide():this.show(t);},n.prototype.show=function(e){var n=this,i=t.Event("show.bs.modal",{relatedTarget:e});this.$element.trigger(i),this.isShown||i.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.$body.addClass("modal-open"),this.setScrollbar(),this.escape(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',t.proxy(this.hide,this)),this.backdrop(function(){var i=t.support.transition&&n.$element.hasClass("fade");n.$element.parent().length||n.$element.appendTo(n.$body),n.$element.show().scrollTop(0),i&&n.$element[0].offsetWidth,n.$element.addClass("in").attr("aria-hidden",!1),n.enforceFocus();var o=t.Event("shown.bs.modal",{relatedTarget:e});i?n.$element.find(".modal-dialog").one("bsTransitionEnd",function(){n.$element.trigger("focus").trigger(o);}).emulateTransitionEnd(300):n.$element.trigger("focus").trigger(o);}));},n.prototype.hide=function(e){e&&e.preventDefault(),e=t.Event("hide.bs.modal"),this.$element.trigger(e),this.isShown&&!e.isDefaultPrevented()&&(this.isShown=!1,this.$body.removeClass("modal-open"),this.resetScrollbar(),this.escape(),t(document).off("focusin.bs.modal"),this.$element.removeClass("in").attr("aria-hidden",!0).off("click.dismiss.bs.modal"),t.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",t.proxy(this.hideModal,this)).emulateTransitionEnd(300):this.hideModal());},n.prototype.enforceFocus=function(){t(document).off("focusin.bs.modal").on("focusin.bs.modal",t.proxy(function(t){this.$element[0]===t.target||this.$element.has(t.target).length||this.$element.trigger("focus");},this));},n.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keyup.dismiss.bs.modal",t.proxy(function(t){27==t.which&&this.hide();},this)):this.isShown||this.$element.off("keyup.dismiss.bs.modal");},n.prototype.hideModal=function(){var t=this;this.$element.hide(),this.backdrop(function(){t.$element.trigger("hidden.bs.modal");});},n.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null;},n.prototype.backdrop=function(e){var n=this,i=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var o=t.support.transition&&i;if(this.$backdrop=t('<div class="modal-backdrop '+i+'" />').appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",t.proxy(function(t){t.target===t.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus.call(this.$element[0]):this.hide.call(this));},this)),o&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!e)return;o?this.$backdrop.one("bsTransitionEnd",e).emulateTransitionEnd(150):e();}else if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var s=function(){n.removeBackdrop(),e&&e();};t.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",s).emulateTransitionEnd(150):s();}else e&&e();},n.prototype.checkScrollbar=function(){document.body.clientWidth>=window.innerWidth||(this.scrollbarWidth=this.scrollbarWidth||this.measureScrollbar());},n.prototype.setScrollbar=function(){var t=parseInt(this.$body.css("padding-right")||0,10);this.scrollbarWidth&&this.$body.css("padding-right",t+this.scrollbarWidth);},n.prototype.resetScrollbar=function(){this.$body.css("padding-right","");},n.prototype.measureScrollbar=function(){var t=document.createElement("div");t.className="modal-scrollbar-measure",this.$body.append(t);var e=t.offsetWidth-t.clientWidth;return this.$body[0].removeChild(t),e;};var i=t.fn.modal;t.fn.modal=e,t.fn.modal.Constructor=n,t.fn.modal.noConflict=function(){return t.fn.modal=i,this;},t(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(n){var i=t(this),o=i.attr("href"),s=t(i.attr("data-target")||o&&o.replace(/.*(?=#[^\s]+$)/,"")),a=s.data("bs.modal")?"toggle":t.extend({remote:!/#/.test(o)&&o},s.data(),i.data());i.is("a")&&n.preventDefault(),s.one("show.bs.modal",function(t){t.isDefaultPrevented()||s.one("hidden.bs.modal",function(){i.is(":visible")&&i.trigger("focus");});}),e.call(s,a,this);});}(jQuery),+function(t){"use strict";function e(e){return this.each(function(){var i=t(this),o=i.data("bs.collapse"),s=t.extend({},n.DEFAULTS,i.data(),"object"==typeof e&&e);!o&&s.toggle&&"show"==e&&(e=!e),o||i.data("bs.collapse",o=new n(this,s)),"string"==typeof e&&o[e]();});}var n=function(e,i){this.$element=t(e),this.options=t.extend({},n.DEFAULTS,i),this.transitioning=null,this.options.parent&&(this.$parent=t(this.options.parent)),this.options.toggle&&this.toggle();};n.VERSION="3.2.0",n.DEFAULTS={toggle:!0},n.prototype.dimension=function(){var t=this.$element.hasClass("width");return t?"width":"height";},n.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var n=t.Event("show.bs.collapse");if(this.$element.trigger(n),!n.isDefaultPrevented()){var i=this.$parent&&this.$parent.find("> .panel > .in");if(i&&i.length){var o=i.data("bs.collapse");if(o&&o.transitioning)return;e.call(i,"hide"),o||i.data("bs.collapse",null);}var s=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[s](0),this.transitioning=1;var a=function(){this.$element.removeClass("collapsing").addClass("collapse in")[s](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse");};if(!t.support.transition)return a.call(this);var r=t.camelCase(["scroll",s].join("-"));this.$element.one("bsTransitionEnd",t.proxy(a,this)).emulateTransitionEnd(350)[s](this.$element[0][r]);}}},n.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var e=t.Event("hide.bs.collapse");if(this.$element.trigger(e),!e.isDefaultPrevented()){var n=this.dimension();this.$element[n](this.$element[n]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse").removeClass("in"),this.transitioning=1;var i=function(){this.transitioning=0,this.$element.trigger("hidden.bs.collapse").removeClass("collapsing").addClass("collapse");};return t.support.transition?void this.$element[n](0).one("bsTransitionEnd",t.proxy(i,this)).emulateTransitionEnd(350):i.call(this);}}},n.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]();};var i=t.fn.collapse;t.fn.collapse=e,t.fn.collapse.Constructor=n,t.fn.collapse.noConflict=function(){return t.fn.collapse=i,this;},t(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(n){var i,o=t(this),s=o.attr("data-target")||n.preventDefault()||(i=o.attr("href"))&&i.replace(/.*(?=#[^\s]+$)/,""),a=t(s),r=a.data("bs.collapse"),l=r?"toggle":o.data(),d=o.attr("data-parent"),h=d&&t(d);r&&r.transitioning||(h&&h.find('[data-toggle="collapse"][data-parent="'+d+'"]').not(o).addClass("collapsed"),o[a.hasClass("in")?"addClass":"removeClass"]("collapsed")),e.call(a,l);});}(jQuery),+function(t){"use strict";function e(){var t=document.createElement("bootstrap"),e={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var n in e)if(void 0!==t.style[n])return{end:e[n]};return !1;}t.fn.emulateTransitionEnd=function(e){var n=!1,i=this;t(this).one("bsTransitionEnd",function(){n=!0;});var o=function(){n||t(i).trigger(t.support.transition.end);};return setTimeout(o,e),this;},t(function(){t.support.transition=e(),t.support.transition&&(t.event.special.bsTransitionEnd={bindType:t.support.transition.end,delegateType:t.support.transition.end,handle:function(e){return t(e.target).is(this)?e.handleObj.handler.apply(this,arguments):void 0;}});});}(jQuery);function openRuleDetailsDialog(rule_result_id){$("#detail-modal").remove();var closebutton=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="true" title="Close">&#x274c;</button>');var modal=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="true"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(modal);var clone=$("#rule-detail-"+rule_result_id).clone();clone.attr("id","");clone.children(".panel-heading").append(closebutton);closebutton.css({"float":"right"});closebutton.css({"margin-top":"-=23px"});$("#detail-modal-body").append(clone);$("#detail-modal").modal();return false;}function toggleRuleDisplay(checkbox){var result=checkbox.value;if(checkbox.checked){$(".rule-overview-leaf-"+result).removeClass("rule-result-filtered");$(".rule-detail-"+result).removeClass("rule-result-filtered");}else{$(".rule-overview-leaf-"+result).addClass("rule-result-filtered");$(".rule-detail-"+result).addClass("rule-result-filtered");}stripeTreeTable();}function toggleResultDetails(button){var result_details=$("#result-details");if(result_details.is(":visible")){result_details.hide();$(button).html("Show all result details");}else{result_details.show();$(button).html("Hide all result details");}return false;}function ruleSearchMatches(detail_leaf,keywords){if(keywords.length==0)return true;var match=true;var checked_keywords=detail_leaf.children(".keywords").text().toLowerCase();var index;for(index=0;index<keywords.length;++index)if(checked_keywords.indexOf(keywords[index].toLowerCase())<0){match=false;break;}return match;}function ruleSearch(){var search_input=$("#search-input").val();var keywords=search_input.split(/[\s,\.;]+/);var matches=0;$(".rule-detail").each(function(){var rrid=$(this).attr("id").substring(12);var overview_leaf=$("#rule-overview-leaf-"+rrid);var detail_leaf=$(this);if(ruleSearchMatches(detail_leaf,keywords)){overview_leaf.removeClass("search-no-match");detail_leaf.removeClass("search-no-match");++matches;}else{overview_leaf.addClass("search-no-match");detail_leaf.addClass("search-no-match");}});if(!search_input)$("#search-matches").html("");else if(matches>0)$("#search-matches").html(matches.toString()+" rules match.");else $("#search-matches").html("No rules match your search criteria!");}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable();});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});is_original=true;}}function newGroupLine(group_name){return "<tr class=\"rule-overview-inner-node\" data-tt-id=\""+group_name+"\">"+"<td colspan=\"3\"><strong>"+group_name+"</strong></td></tr>";}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf",DISA:"http://iase.disa.mil/stigs/cci/Pages/index.aspx",PCI_DSS:"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf"};function getTargetGroupsList(rule,key){switch(key){case KeysEnum.SEVERITY:var severity=rule.children(".rule-severity").text();return [severity];case KeysEnum.RESULT:var result=rule.children(".rule-result").text();return [result];default:try{var references=JSON.parse(rule.attr("data-references"));}catch(err){return ["unknown"];}if(!references.hasOwnProperty(key))return ["unknown"];return references[key];}}function sortGroups(groups,key){switch(key){case KeysEnum.SEVERITY:return ["high","medium","low"];case KeysEnum.DISA:return groups.sort(function(a,b){return parseInt(a)-parseInt(b);});case KeysEnum.NIST:return groups.sort(function(a,b){var regex=/(\w\w)-(\d+)(.*)/;var a_parts=regex.exec(a);var b_parts=regex.exec(b);if(a_parts==null)return 1;if(b_parts==null)return -1;var result=a_parts[1].localeCompare(b_parts[1]);if(result!=0)return result;else{result=a_parts[2]-b_parts[2];if(result!=0)return result;else return a_parts[3].localeCompare(b_parts[3]);}});case KeysEnum.PCI_DSS:return groups.sort(function(a,b){var regex=/Req-(\d+)/;var a_parts=regex.exec(a);var b_parts=regex.exec(b);if(a_parts==null)return 1;if(b_parts==null)return -1;return parseInt(a_parts[1])-parseInt(b_parts[1]);});default:return groups.sort();}}function groupRulesBy(key){resetTreetable();if(key==KeysEnum.DEFAULT)return;var lines={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var id=$(this).attr("data-tt-id");var target_groups=getTargetGroupsList($(this),key);for(i=0;i<target_groups.length;i++){var target_group=target_groups[i];if(!lines.hasOwnProperty(target_group))lines[target_group]=[newGroupLine(target_group)];var clone=$(this).clone();clone.attr("data-tt-id",id+"copy"+i);clone.attr("data-tt-parent-id",target_group);var new_line=clone.wrap("<div>").parent().html();lines[target_group].push(new_line);}});$(".treetable").remove();var groups=sortGroups(Object.keys(lines),key);var html_text="";for(i=0;i<groups.length;i++)html_text+=lines[groups[i]].join("\n");new_table="<table class=\"treetable table table-bordered\"><thead><tr><th>Group</th> <th style=\"width: 120px; text-align: center\">Severity</th><th style=\"width: 120px; text-align: center\">Result</th></tr></thead><tbody>"+html_text+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable();}function stripeTreeTable(){var rows=$(".rule-overview-leaf:not(.rule-result-filtered)");var even=false;$(rows).each(function(){$(this).css("background-color",even?"#F9F9F9":"inherit");even=!even;});}</script></head><body><nav class="navbar navbar-default" role="navigation"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</h2><blockquote>with profile <mark>STIG for Red Hat Enterprise Linux 7 Server</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description"><small>This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">
    <p>
      <ns11:svg xmlns:ns11="http://www.w3.org/2000/svg" enable-background="new 30 100 330 150" height="140px" id="Layer_1" version="1.1" viewBox="30 100 330 150" width="350px" x="0px" y="0px" xml:space="preserve">
        <ns11:g fill="#3A3B3B">
          <ns11:path d="m197.1 150.3s-10.1-1.2-14.4-1.2c-7.2 0-11.0 2.6-11.0 8.3 0 6.6 3.5 7.7 12.3 9.6 10.1 2.3 14.5 4.7 14.5 13.6 0 11.2-6.1 15.6-16.1 15.6-6.0 0-16.0-1.6-16.0-1.6l0.6-4.7s9.9 1.3 15.1 1.3c7.2 0 10.8-3.1 10.8-10.2 0-5.7-3.0-7.3-11.2-8.9-10.4-2.3-15.7-4.7-15.7-14.4 0-9.8 6.4-13.6 16.3-13.6 6.0 0 15.3 1.5 15.3 1.5l-0.5 4.8z"></ns11:path>
          <ns11:path d="m238.7 194.6c-3.6 0.7-9.1 1.5-13.9 1.5-15.1 0-18.5-9.2-18.5-25.9 0-17.1 3.3-26.1 18.5-26.1 5.2 0 10.7 1.0 13.9 1.6l-0.2 4.7c-3.3-0.6-9.2-1.3-13.1-1.3-11.2 0-13.2 6.7-13.2 21.1 0 14.1 1.8 20.8 13.4 20.8 4.1 0 9.5-0.7 13.0-1.3l0.2 4.8z"></ns11:path>
          <ns11:path d="m257.5 144.9h12.3l13.9 50.5h-5.6l-3.7-13.0h-21.6l-3.7 13.0h-5.5l13.9-50.5zm-3.4 32.5h19.1l-7.7-27.7h-3.8l-7.7 27.7z"></ns11:path>
          <ns11:path d="m297.2 178.4v17.0h-5.6v-50.5h18.5c11.0 0 16.1 5.3 16.1 16.3 0 11.0-5.1 17.2-16.1 17.2h-12.9zm12.8-5.0c7.4 0 10.4-4.5 10.4-12.3 0-7.7-3.1-11.3-10.4-11.3h-12.8v23.6h12.8z"></ns11:path>
        </ns11:g>
        <ns11:g fill="#676767">
          <ns11:path d="m176.8 211.2s-2.8-0.3-4.0-0.3c-1.5 0-2.2 0.5-2.2 1.4 0 0.9 0.5 1.2 2.8 1.9 2.9 0.9 3.8 1.8 3.8 4.0 0 3.0-2.0 4.3-4.7 4.3-1.9 0-4.5-0.6-4.5-0.6l0.3-2.1s2.7 0.4 4.1 0.4c1.5 0 2.1-0.7 2.1-1.8 0-0.8-0.5-1.2-2.4-1.8-3.1-0.9-4.2-1.9-4.2-4.1 0-2.8 1.9-4.0 4.6-4.0 1.8 0 4.5 0.5 4.5 0.5l-0.2 2.2z"></ns11:path>
          <ns11:path d="m180.6 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.9v3.3h6.0v2.4h-8.8v-13.6z"></ns11:path>
          <ns11:path d="m201.2 222.1c-0.9 0.2-2.7 0.5-4.0 0.5-4.2 0-5.2-2.3-5.2-7.0 0-5.2 1.2-7.0 5.2-7.0 1.4 0 3.1 0.3 4.0 0.5l-0.1 2.2c-0.9-0.1-2.6-0.3-3.5-0.3-2.1 0-2.8 0.7-2.8 4.6 0 3.7 0.5 4.6 2.8 4.6 0.9 0 2.6-0.2 3.4-0.3l0.1 2.3z"></ns11:path>
          <ns11:path d="m209.5 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8-3.4 0-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"></ns11:path>
          <ns11:path d="m221.3 217.8v4.6h-2.8v-13.6h5.3c3.1 0 4.8 1.4 4.8 4.5 0 1.9-0.8 3.1-2.0 3.9l1.9 5.2h-3.0l-1.6-4.6h-2.7zm2.5-6.7h-2.5v4.3h2.6c1.4 0 1.9-1.0 1.9-2.2 0-1.3-0.7-2.2-2.0-2.2z"></ns11:path>
          <ns11:path d="m231.9 208.7h2.8v13.6h-2.8v-13.6z"></ns11:path>
          <ns11:path d="m237.4 208.7h10.0v2.4h-3.6v11.2h-2.8v-11.2h-3.6v-2.4z"></ns11:path>
          <ns11:path d="m255.7 222.3h-2.8v-5.5l-4.2-8.1h3.1l2.5 5.4 2.5-5.4h3.1l-4.2 8.1v5.5z"></ns11:path>
          <ns11:path d="m273.4 215.1h4.0v7.1s-2.9 0.5-4.6 0.5c-4.4 0-5.6-2.5-5.6-7.0 0-5.0 1.4-7.0 5.5-7.0 2.1 0 4.7 0.6 4.7 0.6l-0.1 2.1s-2.4-0.3-4.2-0.3c-2.4 0-3.1 0.8-3.1 4.6 0 3.6 0.5 4.6 3.0 4.6 0.8 0 1.7-0.1 1.7-0.1v-2.6h-1.2v-2.4z"></ns11:path>
          <ns11:path d="m286 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8s-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"></ns11:path>
          <ns11:path d="m295.0 208.7h2.8v13.6h-2.8v-13.6z"></ns11:path>
          <ns11:path d="m301.8 222.3v-13.6h4.6c4.7 0 5.8 2.0 5.6 6.5 0 4.6-0.9 7.1-5.8 7.1h-4.6zm4.6-11.2h-1.8v8.8h1.8c2.7 0 2.9-1.6 2.9-4.7 0-3.0-0.3-4.1-3.0-4.1z"></ns11:path>
          <ns11:path d="m315.5 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.8v3.3h6.0v2.4h-8.8v-13.6z"></ns11:path>
        </ns11:g>
        <ns11:path d="m116.0 204.9h-2.8c-1.5 0-2.8 1.2-2.8 2.7v19.2c0 1.5 1.3 2.7 2.8 2.7h27.9c1.5 0 2.8-1.2 2.8-2.7v-19.2c0-1.5-1.3-2.7-2.8-2.7h-2.8v-8.2c0-6.1-5.0-11.0-11.2-11.0-6.2 0-11.2 4.9-11.2 11.0v8.2zm5.6-8.2c0-3.0 2.5-5.5 5.6-5.4 3.1 0 5.6 2.4 5.6 5.5v8.2h-11.2v-8.2z" fill="#6D0B2B"></ns11:path>
        <ns11:g fill="#AD1D3F">
          <ns11:path d="m106.4 214.7c-16.4 11.4-37.5 7.8-50.0-3.4l11.9-11.7c2.3-1.9 3.4-5.4 1.2-8.8-0.1-0.1-6.7-11.0 2.3-19.8 7.3-7.2 17.8-5.8 23.3-0.3 3.2 3.1 4.9 7.1 4.9 11.4v0.1c0 4.3-1.8 8.5-5.1 11.7-4.0 3.9-9.6 5.4-15.4 4.1-2.1-0.5-4.3 0.8-4.8 2.9-0.5 2.1 0.8 4.2 2.9 4.7 8.4 2.0 16.9-0.3 22.8-6.1 4.9-4.8 7.5-10.9 7.4-17.4-0.0-6.3-2.6-12.3-7.3-16.8-8.2-8.1-23.8-10.3-34.5 0.3-10.7 10.5-6.6 23.8-3.7 28.8l-12.8 12.6c-2.9 2.9-2.3 6.6-0.2 8.7 15.4 15.2 38.7 17.9 56.9 8.2l-0.0-9.1z"></ns11:path>
          <ns11:path d="m43.9 188.4c-1.1-7.5-1.1-21.8 11.2-33.9 8.0-7.9 18.5-12.0 29.5-11.7 10.2 0.3 20.1 4.5 27.1 11.4 7.6 7.4 11.8 17.3 11.9 27.8v0.1c1.16-0.3 2.4-0.4 3.6-0.4 1.5 0 2.9 0.2 4.3 0.6 0-0.1 0.0-0.2 0.0-0.3-0.1-12.5-5.2-24.3-14.2-33.2-8.4-8.3-20.2-13.3-32.4-13.7-13.2-0.5-25.8 4.5-35.4 14.0-9.1 8.9-14.0 20.8-14.0 33.3 0 2.4 0.2 4.8 0.5 7.2 0.6 4.0 1.8 8.1 3.7 12.2 0.9 2.0 3.2 2.8 5.2 1.9 2.0-0.9 2.9-3.1 2.0-5.1-1.5-3.3-2.6-6.8-3.1-10.1z"></ns11:path>
        </ns11:g>
        <ns11:circle cx="127.26" cy="218.49" fill="#fff" r="3.233"></ns11:circle>
      </ns11:svg>
    </p>
  </div><div class="description">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 7 formatted in the
eXtensible Configuration Checklist Description Format (XCCDF).  
<br>
<br>
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles.  Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation.  This guide is a <i>catalog, not a
checklist,</i> and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios.  However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability.  Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives.  Some example
XCCDF <i>Profiles</i>, which are selections of items that form checklists and
can be used as baselines, are available with this guide.  They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP).  The DISA STIG for Red Hat Enterprise Linux 7 is one example of
a baseline created from this guidance.
</div><div class="top-spacer-10"><div class="alert alert-info"><div>
<p>This benchmark is a direct port of a <i>SCAP Security Guide </i> benchmark developed for <i>Red Hat Enterprise Linux</i>. It has been modified through an automated process to remove specific dependencies on <i>Red Hat Enterprise Linux</i> and to function with <i>CentOS</i>. The result is a generally useful <i>SCAP Security Guide</i> benchmark with the following caveats:</p>
<ul>
<li><i>CentOS</i> is not an exact copy of <i>Red Hat Enterprise Linux</i>. There may be configuration differences that produce false positives and/or false negatives. If this occurs please file a bug report.</li>

<li><i>CentOS</i> has its own build system, compiler options, patchsets, and is a community supported, non-commercial operating system. <i>CentOS</i> does not inherit certifications or evaluations from <i>Red Hat Enterprise Linux</i>. As such, some configuration rules (such as those requiring <i>FIPS 140-2</i> encryption) will continue to fail on <i>CentOS</i>.</li>
</ul>

<p>Members of the <i>CentOS</i> community are invited to participate in <a href="http://open-scap.org">OpenSCAP</a> and <a href="https://github.com/OpenSCAP/scap-security-guide">SCAP Security Guide</a> development. Bug reports and patches can be sent to GitHub: <a href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>. The mailing list is at <a href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div class="alert alert-info">Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.</div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Target machine</th><td>localhost.localdomain</td></tr><tr><th>Benchmark URL</th><td>/tmp/tmp.dSk9R3mOK8/input.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream</td></tr><tr><th>Started at</th><td>2016-04-28T02:59:27</td></tr><tr><th>Finished at</th><td>2016-04-28T03:00:12</td></tr><tr><th>Performed by</th><td>oscap-user</td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:centos:centos:7 was found applicable on the evaluated machine">cpe:/o:centos:centos:7</span></li><li class="list-group-item"><span class="label label-default" title="This CPE platform was not applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="This CPE platform was not applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="This CPE platform was not applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span>
                             127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span>
                             10.0.2.15</li><li class="list-group-item"><span class="label label-primary">IPv4</span>
                             192.168.56.102</li><li class="list-group-item"><span class="label label-info">IPv6</span>
                             0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span>
                             fe80:0:0:0:a00:27ff:fe7e:b6d0</li><li class="list-group-item"><span class="label label-info">IPv6</span>
                             fe80:0:0:0:a00:27ff:fe75:ed61</li><li class="list-group-item"><span class="label label-default">MAC</span>
                             00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span>
                             08:00:27:7E:B6:D0</li><li class="list-group-item"><span class="label label-default">MAC</span>
                             08:00:27:75:ED:61</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 108 rules!</strong>
                        Furthermore, the results of 1 rules were inconclusive.
                    
                    Please review rule results and consider applying remediation.
                </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were 182 rules taken into account."><div class="progress-bar progress-bar-success" style="width: 35.1648351648352%">64 passed
            </div><div class="progress-bar progress-bar-danger" style="width: 59.3406593406593%">108 failed
            </div><div class="progress-bar progress-bar-warning" style="width: 5.494505494505497%">10 other
            </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 108 total failed rules."><div class="progress-bar progress-bar-success" style="width: 0%">0 other
            </div><div class="progress-bar progress-bar-info" style="width: 39.8148148148148%">43 low
            </div><div class="progress-bar progress-bar-warning" style="width: 55.5555555555556%">60 medium
            </div><div class="progress-bar progress-bar-danger" style="width: 4.62962962962963%">5 high
            </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">55.343140</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 55.34314%">55.34%</div><div class="progress-bar progress-bar-danger" style="width: 44.65686%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass"></input>pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed"></input>fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational"></input>informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail"></input>fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error"></input>error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown"></input>unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked"></input>notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" value="notselected"></input>notselected</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable"></input>notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"></input><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p>
                    Group rules by:
                    <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option value="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">
                        NIST SP 800-53 ID
                    </option><option value="http://iase.disa.mil/stigs/cci/Pages/index.aspx">
                        DISA ID
                    </option><option value="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf</option><option value="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-7" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</strong> <span class="badge">108x fail</span> <span class="badge">1x unknown</span> <span class="badge">9x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_intro" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px">Introduction<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_intro");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_general-principles" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_general-principles" data-tt-parent-id="xccdf_org.ssgproject.content_group_intro"><td colspan="3" style="padding-left: 38px">General Principles<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_general-principles");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" data-tt-parent-id="xccdf_org.ssgproject.content_group_general-principles"><td colspan="3" style="padding-left: 57px">Encrypt Transmitted Data Whenever Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-minimize-software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_principle-minimize-software" data-tt-parent-id="xccdf_org.ssgproject.content_group_general-principles"><td colspan="3" style="padding-left: 57px">Minimize Software to Minimize Vulnerability<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_principle-minimize-software");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-separate-servers" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_principle-separate-servers" data-tt-parent-id="xccdf_org.ssgproject.content_group_general-principles"><td colspan="3" style="padding-left: 57px">Run Different Network Services on Separate Systems<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_principle-separate-servers");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-use-security-tools" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_principle-use-security-tools" data-tt-parent-id="xccdf_org.ssgproject.content_group_general-principles"><td colspan="3" style="padding-left: 57px">Configure Security Tools to Improve System Robustness<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_principle-use-security-tools");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege" data-tt-parent-id="xccdf_org.ssgproject.content_group_general-principles"><td colspan="3" style="padding-left: 57px">Least Privilege<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_principle-least-privilege");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_how-to-use" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_how-to-use" data-tt-parent-id="xccdf_org.ssgproject.content_group_intro"><td colspan="3" style="padding-left: 38px">How to Use This Guide<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_how-to-use");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-read-sections-completely" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_intro-read-sections-completely" data-tt-parent-id="xccdf_org.ssgproject.content_group_how-to-use"><td colspan="3" style="padding-left: 57px">Read Sections Completely and in Order<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_intro-read-sections-completely");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-test-non-production" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_intro-test-non-production" data-tt-parent-id="xccdf_org.ssgproject.content_group_how-to-use"><td colspan="3" style="padding-left: 57px">Test in Non-Production Environment<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_intro-test-non-production");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_intro-root-shell-assumed" data-tt-parent-id="xccdf_org.ssgproject.content_group_how-to-use"><td colspan="3" style="padding-left: 57px">Root Shell Environment Assumed<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_intro-root-shell-assumed");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-formatting-conventions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_intro-formatting-conventions" data-tt-parent-id="xccdf_org.ssgproject.content_group_how-to-use"><td colspan="3" style="padding-left: 57px">Formatting Conventions<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_intro-formatting-conventions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-reboot-required" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_intro-reboot-required" data-tt-parent-id="xccdf_org.ssgproject.content_group_how-to-use"><td colspan="3" style="padding-left: 57px">Reboot Required<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_intro-reboot-required");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong> <span class="badge">90x fail</span> <span class="badge">1x unknown</span> <span class="badge">9x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong> <span class="badge">9x fail</span> <span class="badge">1x unknown</span> <span class="badge">3x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Disk Partitioning</strong> <span class="badge">3x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_tmp" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122570736" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000480-GPOS-00227","021270"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-32(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120928 by MM"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122570736" onclick="return openRuleDetailsDialog('idp122570736')">Ensure /tmp Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122574464" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000480-GPOS-00227","021250"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-32(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120928 by MM"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122574464" onclick="return openRuleDetailsDialog('idp122574464')">Ensure /var Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-overview-leaf-idp122578096" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-9","SC-32"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120928 by MM"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122578096" onclick="return openRuleDetailsDialog('idp122578096')">Ensure /var/log Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122583008" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000480-GPOS-00227","021260"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-4","AU-9","SC-32(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120928 by MM"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122583008" onclick="return openRuleDetailsDialog('idp122583008')">Ensure /var/log/audit Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_home" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-overview-leaf-idp122586672" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000480-GPOS-00227","021240"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366","1208"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-32(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.9"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120928 by MM"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122586672" onclick="return openRuleDetailsDialog('idp122586672')">Ensure /home Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_encrypt_partitions" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_encrypt_partitions" id="rule-overview-leaf-idp122590304" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000405-GPOS-00184","SRG-OS-000185-GPOS-00079","020170"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1199","2476"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-13","SC-28(1)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122590304" onclick="return openRuleDetailsDialog('idp122590304')">Encrypt Partitions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-overview-leaf-idp122594576" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["366"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1749"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-5(3)","SI-7","MA-1(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.2.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20150407 by sdw"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122594576" onclick="return openRuleDetailsDialog('idp122594576')">Ensure Red Hat GPG Key Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idp122598240" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-GPOS-00153","020150"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1749"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-5(3)","SI-7","MA-1(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.2.3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20150407 by sdw"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122598240" onclick="return openRuleDetailsDialog('idp122598240')">Ensure gpgcheck Enabled In Main Yum Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-overview-leaf-idp122601904" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["366"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1749"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-5(3)","SI-7","MA-1(b)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20150407 by sdw"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122601904" onclick="return openRuleDetailsDialog('idp122601904')">Ensure gpgcheck Enabled For All Yum Package Repositories</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-overview-leaf-idp122605568" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SI-2","MA-1(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120928 by MM"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122605568" onclick="return openRuleDetailsDialog('idp122605568')">Ensure Software Patches Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Software Integrity Checking</strong> <span class="badge">6x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Verify Integrity with AIDE</strong> <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122609600" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-3(d)","CM-3(e)","CM-6(d)","CM-6(3)","SC-28","SI-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.3.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122609600" onclick="return openRuleDetailsDialog('idp122609600')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_prelink" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122613248" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(d)","CM-6(3)","SC-28","SI-7"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122613248" onclick="return openRuleDetailsDialog('idp122613248')">Disable Prelinking</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122616880" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-3(d)","CM-3(e)","CM-6(d)","CM-6(3)","SC-28","SI-7"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122616880" onclick="return openRuleDetailsDialog('idp122616880')">Build and Test AIDE Database</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122620512" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["374","416","1069","1263","1297","1589"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-3(d)","CM-3(e)","CM-6(d)","CM-6(3)","SC-28","SI-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.3.1"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122620512" onclick="return openRuleDetailsDialog('idp122620512')">Configure Periodic Execution of AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rpm_verification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rpm_verification" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Verify Integrity with RPM</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122624176" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"":["010010"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1493","1494","1495"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","CM-6(d)","CM-6(3)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.2.6","6.1.3","6.1.4","6.1.5","6.1.6","6.1.7","6.1.8","6.1.9","6.2.3"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122624176" onclick="return openRuleDetailsDialog('idp122624176')">Verify and Correct File Permissions with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-overview-leaf-idp122627824" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"":["010020"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1496"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(d)","CM-6(3)","SI-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.2.6"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122627824" onclick="return openRuleDetailsDialog('idp122627824')">Verify File Hashes with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_additional_security_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_additional_security_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Additional Security Software</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_hids" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_install_hids" id="rule-overview-leaf-idp122631456" data-tt-parent-id="xccdf_org.ssgproject.content_group_additional_security_software" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1263"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-7"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122631456" onclick="return openRuleDetailsDialog('idp122631456')">Install Intrusion Detection Software</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_antivirus" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122635728" data-tt-parent-id="xccdf_org.ssgproject.content_group_additional_security_software" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1239","1668"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-28","SI-3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122635728" onclick="return openRuleDetailsDialog('idp122635728')">Install Virus Scanning Software</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mcafee_security_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mcafee_security_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">McAfee Security Software<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mcafee_security_software");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_mcafee_hbss" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_install_mcafee_hbss" id="rule-overview-leaf-idp122639360" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"":["STG-OS-000480-GPOS-00227","030790"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366","1263"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-7","SI-4(1).1"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-11.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122639360" onclick="return openRuleDetailsDialog('idp122639360')">Install McAfee Host-Based Intrusion Detection Software (HBSS)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" id="rule-overview-leaf-idp122644272" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"":["SRG-OS-000480-GPOS-00227","030810"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366","1239","1668"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-28","SI-3","SI-3(1)(ii)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122644272" onclick="return openRuleDetailsDialog('idp122644272')">Install McAfee Virus Scanning Software</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_nails_enabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_nails_enabled" id="rule-overview-leaf-idp122649200" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"":["SRG-OS-000480-GPOS-00227","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366","1239","1668"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-28","SI-3","SI-3(1)(ii)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122649200" onclick="return openRuleDetailsDialog('idp122649200')">Enable nails Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" id="rule-overview-leaf-idp122654112" data-tt-parent-id="xccdf_org.ssgproject.content_group_mcafee_security_software" data-references='{"":["SRG-OS-000480-GPOS-00227","030820"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366","1239","1668"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-28","SI-3","SI-3(1)(ii)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122654112" onclick="return openRuleDetailsDialog('idp122654112')">Virus Scanning Software Definitions Are Updated</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>GNOME Desktop Environment</strong> <span class="badge">1x unknown</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_login_screen" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_login_screen" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">Configure GNOME Login Screen<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_login_screen");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" id="rule-overview-leaf-idp122662720" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"":["SRG-OS-000480-GPOS-00229","010430"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122662720" onclick="return openRuleDetailsDialog('idp122662720')">Disable GDM Automatic Login</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" id="rule-overview-leaf-idp122667680" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"":["SRG-OS-000480-GPOS-00229","010431"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122667680" onclick="return openRuleDetailsDialog('idp122667680')">Disable GDM Guest Login</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" id="rule-overview-leaf-idp122672640" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-23"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122672640" onclick="return openRuleDetailsDialog('idp122672640')">Disable the GNOME3 Login User List</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown" id="rule-overview-leaf-idp122677600" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"":["SRG-OS-000480-GPOS-00227","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122677600" onclick="return openRuleDetailsDialog('idp122677600')">Disable the GNOME3 Login Restart and Shutdown Buttons</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" id="rule-overview-leaf-idp122682560" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["765","766","767","768","771","772","884"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122682560" onclick="return openRuleDetailsDialog('idp122682560')">Enable the GNOME3 Login Smartcard Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries" id="rule-overview-leaf-idp122687520" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_login_screen" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122687520" onclick="return openRuleDetailsDialog('idp122687520')">Set the GNOME3 Login Number of Failures</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px"><strong>Configure GNOME Screen Locking</strong> <span class="badge">1x unknown</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" class="rule-overview-leaf rule-overview-leaf-unknown rule-overview-needs-attention" id="rule-overview-leaf-idp122692464" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"":["SRG-OS-000029-GPOS-00010","010070"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["57"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-11(a)"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122692464" onclick="return openRuleDetailsDialog('idp122692464')">Set GNOME3 Screensaver Inactivity Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-unknown"><div><abbr title="The testing tool encountered some problem and the result is unknown. For example, a result of 'unknown' might be given if the testing tool was unable to interpret the output of the checking engine (the output has no meaning to the testing tool).">unknown</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" id="rule-overview-leaf-idp122697600" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"":["SRG-OS-000029-GPOS-00010","010073"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["57"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-11(a)"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122697600" onclick="return openRuleDetailsDialog('idp122697600')">Enable GNOME3 Screensaver Idle Activation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" id="rule-overview-leaf-idp122701296" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"":["SRG-OS-000028-GPOS-00009","OS-SRG-000030-GPOS-00011","010060"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["56"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-11(b)"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122701296" onclick="return openRuleDetailsDialog('idp122701296')">Enable GNOME3 Screensaver Lock After Idle Period</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" id="rule-overview-leaf-idp122704960" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["60"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-11(b)"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122704960" onclick="return openRuleDetailsDialog('idp122704960')">Implement Blank Screensaver</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info" id="rule-overview-leaf-idp122709920" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122709920" onclick="return openRuleDetailsDialog('idp122709920')">Disable Full User Name on Splash Shield</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_system_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_system_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">GNOME System Settings<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_system_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot" id="rule-overview-leaf-idp122714880" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_system_settings" data-references='{"":["SRG-OS-000480-GPOS-00227","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122714880" onclick="return openRuleDetailsDialog('idp122714880')">Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin" id="rule-overview-leaf-idp122719840" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_system_settings" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122719840" onclick="return openRuleDetailsDialog('idp122719840')">Disable User Administration in GNOME3</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_power_settings" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_power_settings" id="rule-overview-leaf-idp122724800" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_system_settings" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122724800" onclick="return openRuleDetailsDialog('idp122724800')">Disable Power Settings in GNOME3</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation" id="rule-overview-leaf-idp122729760" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_system_settings" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122729760" onclick="return openRuleDetailsDialog('idp122729760')">Disable Geolocation in GNOME3</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_network_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_network_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">GNOME Network Settings<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_network_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create" id="rule-overview-leaf-idp122734720" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_network_settings" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122734720" onclick="return openRuleDetailsDialog('idp122734720')">Disable WIFI Network Connection Creation in GNOME3</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification" id="rule-overview-leaf-idp122739680" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_network_settings" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122739680" onclick="return openRuleDetailsDialog('idp122739680')">Disable WIFI Network Notification in GNOME3</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_remote_access_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">GNOME Remote Access Settings<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_remote_access_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt" id="rule-overview-leaf-idp122744640" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp122744640" onclick="return openRuleDetailsDialog('idp122744640')">Require Credential Prompting for Remote Access in GNOME3</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption" id="rule-overview-leaf-idp122749648" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" data-references='{"":["SRG-OS-000480-GPOS-00227","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-2(1)(b)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122749648" onclick="return openRuleDetailsDialog('idp122749648')">Require Encryption for Remote Access in GNOME3</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_media_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gnome_media_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome"><td colspan="3" style="padding-left: 76px">GNOME Media Settings<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gnome_media_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount" id="rule-overview-leaf-idp122754608" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_media_settings" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122754608" onclick="return openRuleDetailsDialog('idp122754608')">Disable GNOME3 Automounting</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers" id="rule-overview-leaf-idp122759568" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome_media_settings" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122759568" onclick="return openRuleDetailsDialog('idp122759568')">Disable All GNOME3 Thumbnailers</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_dconf_user_profile" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_enable_dconf_user_profile" id="rule-overview-leaf-idp122657776" data-tt-parent-id="xccdf_org.ssgproject.content_group_gnome" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp122657776" onclick="return openRuleDetailsDialog('idp122657776')">Configure GNOME3 DConf User Profile</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong> <span class="badge">6x fail</span> <span class="badge">3x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Partition Mount Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_partitions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" id="rule-overview-leaf-idp122764528" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.11"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122764528" onclick="return openRuleDetailsDialog('idp122764528')">Add nodev Option to Non-Root Local Partitions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions" id="rule-overview-leaf-idp122768224" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)","CM-7","MP-2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122768224" onclick="return openRuleDetailsDialog('idp122768224')">Add nodev Option to Removable Media Partitions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" id="rule-overview-leaf-idp122772736" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["87"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)","CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.12"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122772736" onclick="return openRuleDetailsDialog('idp122772736')">Add noexec Option to Removable Media Partitions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" id="rule-overview-leaf-idp122778544" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)","CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.13"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122778544" onclick="return openRuleDetailsDialog('idp122778544')">Add nosuid Option to Removable Media Partitions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" id="rule-overview-leaf-idp122783056" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122783056" onclick="return openRuleDetailsDialog('idp122783056')">Add nodev Option to /tmp</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-overview-leaf-idp122786704" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122786704" onclick="return openRuleDetailsDialog('idp122786704')">Add noexec Option to /tmp</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-overview-leaf-idp122790352" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122790352" onclick="return openRuleDetailsDialog('idp122790352')">Add nosuid Option to /tmp</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-overview-leaf-idp122794000" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.14"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122794000" onclick="return openRuleDetailsDialog('idp122794000')">Add nodev Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" id="rule-overview-leaf-idp122797664" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.16"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122797664" onclick="return openRuleDetailsDialog('idp122797664')">Add noexec Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-overview-leaf-idp122801360" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MP-2"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.14"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122801360" onclick="return openRuleDetailsDialog('idp122801360')">Add nosuid Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" id="rule-overview-leaf-idp122805024" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122805024" onclick="return openRuleDetailsDialog('idp122805024')">Bind Mount /var/tmp To /tmp</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mounting" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Dynamic Mounting and Unmounting of
Filesystems</strong> <span class="badge">2x fail</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122808688" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"":["SRG-OS-000114-GPOS-00059","SRG-OS-000378-GPOS-0016","SRG-OS-000480-GPOS-00227","020160"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366","778","1958"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)","IA-3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122808688" onclick="return openRuleDetailsDialog('idp122808688')">Disable Modprobe Loading of USB Storage Driver</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bootloader_nousb_argument" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122812352" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1250"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122812352" onclick="return openRuleDetailsDialog('idp122812352')">Disable Kernel Support for USB via Bootloader Configuration</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" id="rule-overview-leaf-idp122816016" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1250"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122816016" onclick="return openRuleDetailsDialog('idp122816016')">Disable Booting from USB Devices in Boot Firmware</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bios_assign_password" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_bios_assign_password" id="rule-overview-leaf-idp122818960" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp122818960" onclick="return openRuleDetailsDialog('idp122818960')">Assign Password to Prevent Changes to Boot Firmware Configuration</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_autofs_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled" id="rule-overview-leaf-idp122821952" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"":["SRG-OS-000114-GPOS-00059","SRG-OS-000378-GPOS-00163","SRG-OS-000480-GPOS-00227","020160"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366","778","1958"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-19(a)","AC-19(d)","AC-19(e)","IA-3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122821952" onclick="return openRuleDetailsDialog('idp122821952')">Disable the Automounter</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" id="rule-overview-leaf-idp122825648" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.18"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122825648" onclick="return openRuleDetailsDialog('idp122825648')">Disable Mounting of cramfs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" id="rule-overview-leaf-idp122829312" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.19"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122829312" onclick="return openRuleDetailsDialog('idp122829312')">Disable Mounting of freevxfs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" id="rule-overview-leaf-idp122832976" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.20"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122832976" onclick="return openRuleDetailsDialog('idp122832976')">Disable Mounting of jffs2</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" id="rule-overview-leaf-idp122836640" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.21"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122836640" onclick="return openRuleDetailsDialog('idp122836640')">Disable Mounting of hfs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" id="rule-overview-leaf-idp122840304" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.22"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122840304" onclick="return openRuleDetailsDialog('idp122840304')">Disable Mounting of hfsplus</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" id="rule-overview-leaf-idp122843968" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.23"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122843968" onclick="return openRuleDetailsDialog('idp122843968')">Disable Mounting of squashfs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" id="rule-overview-leaf-idp122847632" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.24"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122847632" onclick="return openRuleDetailsDialog('idp122847632')">Disable Mounting of udf</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Verify Permissions on Important Files and
Directories<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions_important_account_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_files"><td colspan="3" style="padding-left: 76px">Verify Permissions on Files with Local Account Information and Credentials<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_permissions_important_account_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_userowner_shadow_file" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_userowner_shadow_file" id="rule-overview-leaf-idp122851296" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122851296" onclick="return openRuleDetailsDialog('idp122851296')">Verify User Who Owns shadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_groupowner_shadow_file" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_groupowner_shadow_file" id="rule-overview-leaf-idp122856208" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122856208" onclick="return openRuleDetailsDialog('idp122856208')">Verify Group Who Owns shadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" id="rule-overview-leaf-idp122861136" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122861136" onclick="return openRuleDetailsDialog('idp122861136')">Verify Permissions on shadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_etc_group" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_etc_group" id="rule-overview-leaf-idp122866096" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122866096" onclick="return openRuleDetailsDialog('idp122866096')">Verify User Who Owns group File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" id="rule-overview-leaf-idp122871008" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122871008" onclick="return openRuleDetailsDialog('idp122871008')">Verify Group Who Owns group File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_group" id="rule-overview-leaf-idp122875952" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122875952" onclick="return openRuleDetailsDialog('idp122875952')">Verify Permissions on group File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" id="rule-overview-leaf-idp122880912" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122880912" onclick="return openRuleDetailsDialog('idp122880912')">Verify User Who Owns gshadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" id="rule-overview-leaf-idp122885840" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122885840" onclick="return openRuleDetailsDialog('idp122885840')">Verify Group Who Owns gshadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" id="rule-overview-leaf-idp122890800" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122890800" onclick="return openRuleDetailsDialog('idp122890800')">Verify Permissions on gshadow File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" id="rule-overview-leaf-idp122895760" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122895760" onclick="return openRuleDetailsDialog('idp122895760')">Verify User Who Owns passwd File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" id="rule-overview-leaf-idp122900672" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122900672" onclick="return openRuleDetailsDialog('idp122900672')">Verify Group Who Owns passwd File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" id="rule-overview-leaf-idp122905632" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.7.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122905632" onclick="return openRuleDetailsDialog('idp122905632')">Verify Permissions on passwd File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-tt-parent-id="xccdf_org.ssgproject.content_group_files"><td colspan="3" style="padding-left: 76px">Verify File Permissions Within Some Important Directories<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_permissions_within_important_dirs");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" id="rule-overview-leaf-idp122910592" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122910592" onclick="return openRuleDetailsDialog('idp122910592')">Verify that Shared Library Files Have Restrictive Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" id="rule-overview-leaf-idp122915552" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20130914 by swells"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122915552" onclick="return openRuleDetailsDialog('idp122915552')">Verify that Shared Library Files Have Root Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" id="rule-overview-leaf-idp122920512" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122920512" onclick="return openRuleDetailsDialog('idp122920512')">Verify that System Executables Have Restrictive Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" id="rule-overview-leaf-idp122925472" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122925472" onclick="return openRuleDetailsDialog('idp122925472')">Verify that System Executables Have Root Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-overview-leaf-idp122930432" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.1.17"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120929 by swells"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122930432" onclick="return openRuleDetailsDialog('idp122930432')">Verify that All World-Writable Directories Have Sticky Bits Set</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-overview-leaf-idp122935408" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122935408" onclick="return openRuleDetailsDialog('idp122935408')">Ensure No World-Writable Files Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-overview-leaf-idp122940416" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(1)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122940416" onclick="return openRuleDetailsDialog('idp122940416')">Ensure All SGID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-overview-leaf-idp122945376" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(1)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122945376" onclick="return openRuleDetailsDialog('idp122945376')">Ensure All SUID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" id="rule-overview-leaf-idp122950336" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"":["SRG-OS-000480-GPOS-00227","020360"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","CM-6(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122950336" onclick="return openRuleDetailsDialog('idp122950336')">Ensure All Files Are Owned by a User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" id="rule-overview-leaf-idp122953984" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"":["SRG-OS-000480-GPOS-00227","020370"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","IA-2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122953984" onclick="return openRuleDetailsDialog('idp122953984')">Ensure All Files Are Owned by a Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" id="rule-overview-leaf-idp122957648" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120929 by swells"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122957648" onclick="return openRuleDetailsDialog('idp122957648')">Ensure All World-Writable Directories Are Owned by a System Account</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Programs from Dangerous Execution Patterns</strong> <span class="badge">4x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_daemon_umask" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_daemon_umask" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Daemon Umask<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_daemon_umask");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_umask_for_daemons" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_umask_for_daemons" id="rule-overview-leaf-idp122962608" data-tt-parent-id="xccdf_org.ssgproject.content_group_daemon_umask" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140912 by JL"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122962608" onclick="return openRuleDetailsDialog('idp122962608')">Set Daemon Umask</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_coredumps" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_coredumps" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px"><strong>Disable Core Dumps</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_users_coredumps" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_users_coredumps" id="rule-overview-leaf-idp122967072" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.6.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122967072" onclick="return openRuleDetailsDialog('idp122967072')">Disable Core Dumps for All Users</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122972000" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SI-11"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.6.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122972000" onclick="return openRuleDetailsDialog('idp122972000')">Disable Core Dumps for SUID programs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px"><strong>Enable ExecShield</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-overview-leaf-idp122975648" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["2530"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-39"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122975648" onclick="return openRuleDetailsDialog('idp122975648')">Enable ExecShield</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122979312" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-30(2)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.6.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122979312" onclick="return openRuleDetailsDialog('idp122979312')">Enable Randomized Layout of Virtual Address Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_nx" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_nx" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px"><strong>Enable Execute Disable (XD) or No Execute (NX) Support on
x86 Systems</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122982976" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_nx" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122982976" onclick="return openRuleDetailsDialog('idp122982976')">Install PAE Kernel on Supported 32-bit x86 Systems</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" id="rule-overview-leaf-idp122986640" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_nx" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp122986640" onclick="return openRuleDetailsDialog('idp122986640')">Enable NX or XD Support in the BIOS</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122989600" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1314"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SI-11"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp122989600" onclick="return openRuleDetailsDialog('idp122989600')">Restrict Access to Kernel Message Buffer</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>SELinux</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_selinux_bootloader" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_enable_selinux_bootloader" id="rule-overview-leaf-idp122993312" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["22","32"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3","AC-3(3)","AC-6","AU-9"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.4.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp122993312" onclick="return openRuleDetailsDialog('idp122993312')">Ensure SELinux Not Disabled in /etc/default/grub</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp122996976" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3","AC-3(3)","AC-4","AC-6","AU-9"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.4.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp122996976" onclick="return openRuleDetailsDialog('idp122996976')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idp123001424" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3","AC-3(3)","AC-4","AC-6","AU-9"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.4.3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123001424" onclick="return openRuleDetailsDialog('idp123001424')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" id="rule-overview-leaf-idp123005888" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.4.4"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123005888" onclick="return openRuleDetailsDialog('idp123005888')">Uninstall setroubleshoot Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_mcstrans_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_mcstrans_removed" id="rule-overview-leaf-idp123009552" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references="{}"><td style="padding-left: 57px"><a href="#rule-detail-idp123009552" onclick="return openRuleDetailsDialog('idp123009552')">Uninstall mcstrans Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" id="rule-overview-leaf-idp123013200" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","AU-9","CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.4.6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123013200" onclick="return openRuleDetailsDialog('idp123013200')">Ensure No Daemons are Unconfined by SELinux</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" id="rule-overview-leaf-idp123016864" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["22","32"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","AU-9","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123016864" onclick="return openRuleDetailsDialog('idp123016864')">Ensure No Device Files are Unlabeled by SELinux</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Account and Access Control</strong> <span class="badge">28x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Restricting Password-Based Login</strong> <span class="badge">7x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Restrict Root Logins</strong> <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123020528" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-2(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.4"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123020528" onclick="return openRuleDetailsDialog('idp123020528')">Direct root Logins Not Allowed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123024160" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["770"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(2)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123024160" onclick="return openRuleDetailsDialog('idp123024160')">Restrict Virtual Console Root Logins</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123027824" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["770"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(2)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123027824" onclick="return openRuleDetailsDialog('idp123027824')">Restrict Serial Port Root Logins</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_root_webbrowsing" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_root_webbrowsing" id="rule-overview-leaf-idp123031488" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp123031488" onclick="return openRuleDetailsDialog('idp123031488')">Restrict Web Browser Use for Administrative Accounts</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="rule-overview-leaf-idp123035120" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123035120" onclick="return openRuleDetailsDialog('idp123035120')">Ensure that System Accounts Do Not Run a Shell Upon Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-overview-leaf-idp123040080" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"":["SRG-OS-000480-GPOS-00227","020310"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","IA-2(1)","IA-4"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123040080" onclick="return openRuleDetailsDialog('idp123040080')">Verify Only Root Has UID 0</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_root_path_default" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_root_path_default" id="rule-overview-leaf-idp123043744" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SA-8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123043744" onclick="return openRuleDetailsDialog('idp123043744')">Root Path Must Be Vendor Default</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Verify Proper Storage and Existence of Password
Hashes</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123047376" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"":["SRG-OS-000480-GPOS-00227","010260"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123047376" onclick="return openRuleDetailsDialog('idp123047376')">Prevent Log In to Accounts With Empty Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" id="rule-overview-leaf-idp123051008" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(h)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123051008" onclick="return openRuleDetailsDialog('idp123051008')">Verify All Account Password Hashes are Shadowed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_gid_passwd_group_same" id="rule-overview-leaf-idp123054672" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"":["SRG-OS-000104-GPOS-00051","020300"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["764"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.5.a"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123054672" onclick="return openRuleDetailsDialog('idp123054672')">All GIDs referenced in /etc/passwd must be defined in /etc/group</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_netrc_files" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_netrc_files" id="rule-overview-leaf-idp123058304" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["196"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(h)","AC-3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123058304" onclick="return openRuleDetailsDialog('idp123058304')">Verify No netrc Files Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Password Expiration Parameters</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-overview-leaf-idp123063216" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(f)","IA-5(1)(a)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123063216" onclick="return openRuleDetailsDialog('idp123063216')">Set Password Minimum Length in login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123069040" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["SRG-OS-000075-GPOS-00043","010200"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["198"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(f)","IA-5(1)(d)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123069040" onclick="return openRuleDetailsDialog('idp123069040')">Set Password Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123073552" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["SRG-OS-000076-GPOS-00044","010220"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["199"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(f)","IA-5(g)","IA-5(1)(d)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["7.1.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123073552" onclick="return openRuleDetailsDialog('idp123073552')">Set Password Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" id="rule-overview-leaf-idp123078064" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2(2)","IA-5(f)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123078064" onclick="return openRuleDetailsDialog('idp123078064')">Set Password Warning Age</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_account_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_account_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Account Expiration Parameters</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123083904" data-tt-parent-id="xccdf_org.ssgproject.content_group_account_expiration" data-references='{"":["SRG-OS-000118-GPOS-00060","010280"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["795"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2(2)","AC-2(3)","IA-4(e)"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123083904" onclick="return openRuleDetailsDialog('idp123083904')">Set Account Expiration Following Inactivity</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_account_unique_name" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_account_unique_name" id="rule-overview-leaf-idp123088432" data-tt-parent-id="xccdf_org.ssgproject.content_group_account_expiration" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["770","804"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123088432" onclick="return openRuleDetailsDialog('idp123088432')">Ensure All Accounts on the System Have Unique Names</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_account_temp_expire_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_account_temp_expire_date" id="rule-overview-leaf-idp123093344" data-tt-parent-id="xccdf_org.ssgproject.content_group_account_expiration" data-references='{"":["2"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["16","1682"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2(2)","AC-2(3)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123093344" onclick="return openRuleDetailsDialog('idp123093344')">Assign Expiration Date to Temporary Accounts</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Configuring PAM</strong> <span class="badge">14x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px"><strong>Set Password Quality Requirements</strong> <span class="badge">10x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px"><strong>Set Password Quality Requirements with pam_pwquality</strong> <span class="badge">10x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123101280" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000480-GPOS-00225","010410"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)","IA-5(c)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140925 by swells"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123101280" onclick="return openRuleDetailsDialog('idp123101280')">Set Password Retry Prompts Permitted Per-Session</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123105776" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000072-GPOS-00040","010150"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["195"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5","IA-5(c)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123105776" onclick="return openRuleDetailsDialog('idp123105776')">Set Password to Maximum of Three Consecutive Repeating Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123110288" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000072-GPOS-00040","010160"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["195"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5","IA-5(c)"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123110288" onclick="return openRuleDetailsDialog('idp123110288')">Set Password to Maximum of Consecutive Repeating Characters from Same Character Class</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123114800" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000071-GPOS-00039","010110"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["194"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(1)(a)","IA-5(b)","IA-5(c)","194"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123114800" onclick="return openRuleDetailsDialog('idp123114800')">Set Password Strength Minimum Digit Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123119296" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000078-GPOS-00046","010250"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["205"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(1)(a)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140928 by swells"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123119296" onclick="return openRuleDetailsDialog('idp123119296')">Set Password Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123123792" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000069-GPOS-00037","010090"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["192"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123123792" onclick="return openRuleDetailsDialog('idp123123792')">Set Password Strength Minimum Uppercase Characters</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123128288" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000266-GPOS-00101","010120"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1619"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123128288" onclick="return openRuleDetailsDialog('idp123128288')">Set Password Strength Minimum Special Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123132784" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000070-GPOS-00038","010100"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["193"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(b)","IA-5(c)","IA-5(1)(a)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123132784" onclick="return openRuleDetailsDialog('idp123132784')">Set Password Strength Minimum Lowercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123137280" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000072-GPOS-00040","010130"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["195"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(b)","IA-5(c)","IA-5(1)(b)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123137280" onclick="return openRuleDetailsDialog('idp123137280')">Set Password Strength Minimum Different Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123141776" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000072-GPOS-00040","010140"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["195"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140626 by JL"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123141776" onclick="return openRuleDetailsDialog('idp123141776')">Set Password Strength Minimum Different Categories</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px"><strong>Set Lockouts for Failed Password Attempts</strong> <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123146288" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005","010370"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["2238"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-7(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.3"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123146288" onclick="return openRuleDetailsDialog('idp123146288')">Set Deny For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123150816" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005","010371"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["002238"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-7(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.3"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123150816" onclick="return openRuleDetailsDialog('idp123150816')">Set Lockout Time For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123155392" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["21"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["44"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-7(a)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123155392" onclick="return openRuleDetailsDialog('idp123155392')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123159952" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["SRG-OS-000077-GPOS-00045","010240"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["200"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(f)","IA-5(1)(e)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.4"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123159952" onclick="return openRuleDetailsDialog('idp123159952')">Limit Password Reuse</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Hashing Algorithm<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_set_password_hashing_algorithm");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-overview-leaf-idp123164464" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"":["SRG-OS-000073-GPOS-00041","010170"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["196"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123164464" onclick="return openRuleDetailsDialog('idp123164464')">Set PAM's Password Hashing Algorithm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" id="rule-overview-leaf-idp123168160" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"":["SRG-OS-000073-GPOS-00041","010180"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["196"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.3.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123168160" onclick="return openRuleDetailsDialog('idp123168160')">Set Password Hashing Algorithm in /etc/login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" id="rule-overview-leaf-idp123171840" data-tt-parent-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-references='{"":["SRG-OS-000073-GPOS-00041","010190"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["196"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5(b)","IA-5(c)","IA-5(1)(c)","IA-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123171840" onclick="return openRuleDetailsDialog('idp123171840')">Set Password Hashing Algorithm in /etc/libuser.conf</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_display_login_attempts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-overview-leaf-idp123097632" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["53"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123097632" onclick="return openRuleDetailsDialog('idp123097632')">Set Last Logon/Access Notification</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Secure Session Configuration Files for Login Accounts</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_paths" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_paths" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session"><td colspan="3" style="padding-left: 76px">Ensure that No Dangerous Directories Exist in Root's Path<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_paths");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_root_path_no_dot" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_root_path_no_dot" id="rule-overview-leaf-idp123184544" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_paths" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123184544" onclick="return openRuleDetailsDialog('idp123184544')">Ensure that Root's Path Does Not Include Relative Paths or Null Directories</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write" id="rule-overview-leaf-idp123188176" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_paths" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123188176" onclick="return openRuleDetailsDialog('idp123188176')">Ensure that Root's Path Does Not Include World or Group-Writable Directories</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_user_umask" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session"><td colspan="3" style="padding-left: 76px">Ensure that Users Have Sensible Umask Values<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_user_umask");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-overview-leaf-idp123198096" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SA-8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140912 by JL"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123198096" onclick="return openRuleDetailsDialog('idp123198096')">Ensure the Default Bash Umask is Set Correctly</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc" id="rule-overview-leaf-idp123203872" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SA-8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140912 by JL"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123203872" onclick="return openRuleDetailsDialog('idp123203872')">Ensure the Default C Shell Umask is Set Correctly</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-overview-leaf-idp123209664" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SA-8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20120929 by swells"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123209664" onclick="return openRuleDetailsDialog('idp123209664')">Ensure the Default Umask is Set Correctly in /etc/profile</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-overview-leaf-idp123215456" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SA-8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140912 by JL"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123215456" onclick="return openRuleDetailsDialog('idp123215456')">Ensure the Default Umask is Set Correctly in login.defs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_tmout" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123175536" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"":["SRG-OS-000163-GPOS-00072","040160"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1133","0361"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-12","SC-10"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123175536" onclick="return openRuleDetailsDialog('idp123175536')">Set Interactive Session Timeout</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123179984" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"":["SRG-OS-000027-GPOS-00008","040010"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["54"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-10"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123179984" onclick="return openRuleDetailsDialog('idp123179984')">Limit the Number of Concurrent Login Sessions Allowed Per User</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_home_dirs" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_home_dirs" id="rule-overview-leaf-idp123193136" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["225"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(7)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123193136" onclick="return openRuleDetailsDialog('idp123193136')">Ensure that User Home Directories are not Group-Writable or World-Readable</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-physical" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Physical Console Access</strong> <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_bootloader" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical"><td colspan="3" style="padding-left: 76px"><strong>Set Boot Loader Password</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg" id="rule-overview-leaf-idp123221248" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["225"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(7)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.5.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-7.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123221248" onclick="return openRuleDetailsDialog('idp123221248')">Verify /boot/grub2/grub.cfg User Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg" id="rule-overview-leaf-idp123226192" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["225"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(7)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.5.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-7.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123226192" onclick="return openRuleDetailsDialog('idp123226192')">Verify /boot/grub2/grub.cfg Group Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" id="rule-overview-leaf-idp123231152" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["225"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6(7)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.5.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123231152" onclick="return openRuleDetailsDialog('idp123231152')">Verify /boot/grub2/grub.cfg Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bootloader_password" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123236112" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader" data-references='{"":["SRG-OS-000080-GPOS-00048","010460"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["213"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-2(1)","IA-5(e)","AC-3"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.5.3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123236112" onclick="return openRuleDetailsDialog('idp123236112')">Set Boot Loader Password</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical"><td colspan="3" style="padding-left: 76px"><strong>Configure Screen Locking</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_console_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_console_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px"><strong>Configure Console Screen Locking</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_screen_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123254368" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"":["SRG-OS-000029-GPOS-00010","010072"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["57"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-11(a)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123254368" onclick="return openRuleDetailsDialog('idp123254368')">Install the screen Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px">Hardware Tokens for Authentication<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_smart_card_login");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="rule-overview-leaf-idp123258016" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["765","766","767","768","771","772","884"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123258016" onclick="return openRuleDetailsDialog('idp123258016')">Enable Smart Card Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-overview-leaf-idp123239744" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["213"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-2(1)","AC-3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123239744" onclick="return openRuleDetailsDialog('idp123239744')">Require Authentication for Single User Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="rule-overview-leaf-idp123243392" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp123243392" onclick="return openRuleDetailsDialog('idp123243392')">Disable debug-shell SystemD Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123247056" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"":["SRG-OS-000480-GPOS-00227","020220"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123247056" onclick="return openRuleDetailsDialog('idp123247056')">Disable Ctrl-Alt-Del Reboot Activation</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_interactive_boot" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123250720" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["213"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-2","AC-3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123250720" onclick="return openRuleDetailsDialog('idp123250720')">Disable Interactive Boot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-banners" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-banners" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Warning Banners for System Accesses</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gui_login_banner" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gui_login_banner" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners"><td colspan="3" style="padding-left: 76px">Implement a GUI Warning Banner<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gui_login_banner");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-overview-leaf-idp123267376" data-tt-parent-id="xccdf_org.ssgproject.content_group_gui_login_banner" data-references='{"":["OS-SRG-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088","010031"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["48"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123267376" onclick="return openRuleDetailsDialog('idp123267376')">Enable GNOME3 Login Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" id="rule-overview-leaf-idp123271040" data-tt-parent-id="xccdf_org.ssgproject.content_group_gui_login_banner" data-references='{"":["23"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["48","50","1384","1385","1386","1387","1388"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-8(a)","AC-8(b)","AC-8(c)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123271040" onclick="return openRuleDetailsDialog('idp123271040')">Set the GNOME3 Login Warning Banner Text</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_banner_etc_issue" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123262928" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners" data-references='{"":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","010040"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["48"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123262928" onclick="return openRuleDetailsDialog('idp123262928')">Modify the System Login Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Network Configuration and Firewalls</strong> <span class="badge">10x fail</span> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Disable Unused Interfaces<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_disable_unused_interfaces");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-kernel" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>Kernel Parameters Which Affect Networking</strong> <span class="badge">6x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px"><strong>Network Parameters for Hosts Only</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123282816" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","CM-7","SC-5","SC-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.1.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123282816" onclick="return openRuleDetailsDialog('idp123282816')">Disable Kernel Parameter for Sending ICMP Redirects by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123286512" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","SC-5(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.1.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123286512" onclick="return openRuleDetailsDialog('idp123286512')">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-overview-leaf-idp123290192" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","SC-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.1.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123290192" onclick="return openRuleDetailsDialog('idp123290192')">Disable Kernel Parameter for IP Forwarding</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px"><strong>Network Related Kernel Runtime Parameters for Hosts and Routers</strong> <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-overview-leaf-idp123295152" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["SRG-OS-000480-GPOS-00227","040350"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","CM-7","SC-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123295152" onclick="return openRuleDetailsDialog('idp123295152')">Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123301040" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1503","1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","SC-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123301040" onclick="return openRuleDetailsDialog('idp123301040')">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-overview-leaf-idp123305616" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1503","1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","CM-7","SC-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123305616" onclick="return openRuleDetailsDialog('idp123305616')">Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-overview-leaf-idp123311488" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","CM-7","SC-5(3)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.4"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123311488" onclick="return openRuleDetailsDialog('idp123311488')">Configure Kernel Parameter to Log Martian Packets</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" id="rule-overview-leaf-idp123317328" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","CM-7","SC-5(3)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123317328" onclick="return openRuleDetailsDialog('idp123317328')">Configure Kernel Parameter to Log Martian Packets By Default</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-overview-leaf-idp123323200" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["SRG-OS-000480-GPOS-00227","040350"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","CM-7","SC-5","SC-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123323200" onclick="return openRuleDetailsDialog('idp123323200')">Configure Kernel Parameter for Accepting Source-Routed Packets By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123327792" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","CM-7","SC-5","SC-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123327792" onclick="return openRuleDetailsDialog('idp123327792')">Configure Kernel Parameter for Accepting ICMP Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-overview-leaf-idp123332368" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","CM-7","SC-5","SC-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123332368" onclick="return openRuleDetailsDialog('idp123332368')">Configure Kernel Parameter for Accepting Secure Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123338256" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["SRG-OS-000480-GPOS-00227","040380"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","CM-7","SC-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123338256" onclick="return openRuleDetailsDialog('idp123338256')">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-overview-leaf-idp123342864" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","SC-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123342864" onclick="return openRuleDetailsDialog('idp123342864')">Configure Kernel Parameter to Ignore Bogus ICMP Error Responses</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123348768" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["SRG-OS-000480-GPOS-00227","040430"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","SC-5(1)(2)","SC-5(2)","SC-5(3)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123348768" onclick="return openRuleDetailsDialog('idp123348768')">Configure Kernel Parameter to Use TCP Syncookies</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-overview-leaf-idp123353280" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","SC-5","SC-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123353280" onclick="return openRuleDetailsDialog('idp123353280')">Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-overview-leaf-idp123359104" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4","SC-5","SC-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.2.7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123359104" onclick="return openRuleDetailsDialog('idp123359104')">Configure Kernel Parameter to Use Reverse Path Filtering by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-wireless" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>Wireless Networking</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_wireless_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-wireless"><td colspan="3" style="padding-left: 76px"><strong>Disable Wireless Through Software Configuration</strong> <span class="badge">1x fail</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" id="rule-overview-leaf-idp123364960" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["85"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","AC-18(a)","AC-18(d)","AC-18(3)","CM-7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123364960" onclick="return openRuleDetailsDialog('idp123364960')">Disable WiFi or Bluetooth in BIOS</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-overview-leaf-idp123367920" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["85"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","AC-18(a)","AC-18(d)","AC-18(3)","CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.3.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123367920" onclick="return openRuleDetailsDialog('idp123367920')">Deactivate Wireless Network Interfaces</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" id="rule-overview-leaf-idp123371632" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["85","1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","AC-18(a)","AC-18(d)","AC-18(3)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123371632" onclick="return openRuleDetailsDialog('idp123371632')">Disable Bluetooth Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123375296" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["85","1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","AC-18(a)","AC-18(d)","AC-18(3)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20141031 by JL"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123375296" onclick="return openRuleDetailsDialog('idp123375296')">Disable Bluetooth Kernel Modules</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>IPv6</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipv6"><td colspan="3" style="padding-left: 76px">Disable Support for IPv6 Unless Needed<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable" id="rule-overview-leaf-idp123378960" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.4.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123378960" onclick="return openRuleDetailsDialog('idp123378960')">Disable IPv6 Networking Support Automatic Loading</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces" id="rule-overview-leaf-idp123383920" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp123383920" onclick="return openRuleDetailsDialog('idp123383920')">Disable Interface Usage of IPv6</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" id="rule-overview-leaf-idp123386288" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123386288" onclick="return openRuleDetailsDialog('idp123386288')">Disable Support for RPC IPv6</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipv6"><td colspan="3" style="padding-left: 76px"><strong>Configure IPv6 Settings if Necessary</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6"><td colspan="3" style="padding-left: 95px"><strong>Disable Automatic Configuration</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123389936" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-references='{"":["SRG-OS-000480-GPOS-00227","040860"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123389936" onclick="return openRuleDetailsDialog('idp123389936')">Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" id="rule-overview-leaf-idp123394512" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.4.1.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123394512" onclick="return openRuleDetailsDialog('idp123394512')">Configure Accepting IPv6 Router Advertisements</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" id="rule-overview-leaf-idp123400336" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.4.1.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123400336" onclick="return openRuleDetailsDialog('idp123400336')">Configure Accepting IPv6 Router Advertisements</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-overview-leaf-idp123406192" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.4.1.2"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123406192" onclick="return openRuleDetailsDialog('idp123406192')">Configure Accepting IPv6 Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-overview-leaf-idp123412064" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1551"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.4.1.2"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp123412064" onclick="return openRuleDetailsDialog('idp123412064')">Configure Accepting IPv6 Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6"><td colspan="3" style="padding-left: 95px">Limit Network-Transmitted Configuration if Using Static IPv6 Addresses<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_ipv6_limit_requests");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_ipv6_static_address" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_ipv6_static_address" id="rule-overview-leaf-idp123417952" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123417952" onclick="return openRuleDetailsDialog('idp123417952')">Manually Assign Global IPv6 Address</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" id="rule-overview-leaf-idp123421616" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123421616" onclick="return openRuleDetailsDialog('idp123421616')">Use Privacy Extensions for Address</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway" id="rule-overview-leaf-idp123425280" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123425280" onclick="return openRuleDetailsDialog('idp123425280')">Manually Assign IPv6 Router Address</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-firewalld" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-firewalld" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>firewalld</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_firewalld_activation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_firewalld_activation" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Inspect and Activate Default firewalld Rules</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123428944" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"":["SRG-OS-000480-GPOS-00227","040810"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123428944" onclick="return openRuleDetailsDialog('idp123428944')">Verify firewalld Enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ruleset_modifications" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ruleset_modifications" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Strengthen the Default Ruleset</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123432608" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["66","1109","1154","1414"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123432608" onclick="return openRuleDetailsDialog('idp123432608')">Set Default firewalld Zone for Incoming Packets</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_ssl" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_ssl" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Transport Layer Security Support<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_ssl");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-uncommon" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-uncommon" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Uncommon Network Protocols<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-uncommon");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" id="rule-overview-leaf-idp123436272" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.6.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123436272" onclick="return openRuleDetailsDialog('idp123436272')">Disable DCCP Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" id="rule-overview-leaf-idp123441232" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["4.6.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123441232" onclick="return openRuleDetailsDialog('idp123441232')">Disable SCTP Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipsec" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipsec" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>IPSec Support</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_libreswan_installed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_libreswan_installed" id="rule-overview-leaf-idp123446192" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipsec" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1130","1131"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17","MA-4","SC-9"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-4.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123446192" onclick="return openRuleDetailsDialog('idp123446192')">Install libreswan Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" id="rule-overview-leaf-idp123451152" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipsec" data-references='{"":["SRG-OS-000480-GPOS-00227","040830"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["336"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123451152" onclick="return openRuleDetailsDialog('idp123451152')">Verify Any Configured IPSec Tunnel Connections</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_disable_zeroconf" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_disable_zeroconf" id="rule-overview-leaf-idp123275520" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123275520" onclick="return openRuleDetailsDialog('idp123275520')">Disable Zeroconf Networking</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-overview-leaf-idp123279168" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MA-3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123279168" onclick="return openRuleDetailsDialog('idp123279168')">Ensure System is Not Acting as a Network Sniffer</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Configure Syslog</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure Proper Configuration of Log Files<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-overview-leaf-idp123465328" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1314"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","SI-11"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123465328" onclick="return openRuleDetailsDialog('idp123465328')">Ensure Log Files Are Owned By Appropriate User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-overview-leaf-idp123470256" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1314"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","SI-11"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123470256" onclick="return openRuleDetailsDialog('idp123470256')">Ensure Log Files Are Owned By Appropriate Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-overview-leaf-idp123475216" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1314"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SI-11"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.1.4"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123475216" onclick="return openRuleDetailsDialog('idp123475216')">Ensure System Log Files Have Correct Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Rsyslog Logs Sent To Remote Host</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123480160" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1348","136","1851"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-3(2)","AU-4(1)","AU-9"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.1.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123480160" onclick="return openRuleDetailsDialog('idp123480160')">Ensure Logs Sent To Remote Host</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Configure rsyslogd to Accept Remote Messages If Acting as a Log Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-overview-leaf-idp123483808" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-9(2)","AC-4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123483808" onclick="return openRuleDetailsDialog('idp123483808')">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp" id="rule-overview-leaf-idp123487440" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-9"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.1.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123487440" onclick="return openRuleDetailsDialog('idp123487440')">Enable rsyslog to Accept Messages via TCP, if Acting As Log Server</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp" id="rule-overview-leaf-idp123489808" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-9"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.1.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123489808" onclick="return openRuleDetailsDialog('idp123489808')">Enable rsyslog to Accept Messages via UDP, if Acting As Log Server</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_log_rotation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Ensure All Logs are Rotated by logrotate<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_log_rotation");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" id="rule-overview-leaf-idp123492176" data-tt-parent-id="xccdf_org.ssgproject.content_group_log_rotation" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-9"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123492176" onclick="return openRuleDetailsDialog('idp123492176')">Ensure Logrotate Runs Periodically</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"> Configure Logwatch on the Central Log Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_logwatch_configured_hostlimit" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_logwatch_configured_hostlimit" id="rule-overview-leaf-idp123497136" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp123497136" onclick="return openRuleDetailsDialog('idp123497136')">Configure Logwatch HostLimit Line</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_logwatch_configured_splithosts" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_logwatch_configured_splithosts" id="rule-overview-leaf-idp123500800" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp123500800" onclick="return openRuleDetailsDialog('idp123500800')">Configure Logwatch SplitHosts Line</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-overview-leaf-idp123455456" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1311","1312"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-9(2)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.1.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123455456" onclick="return openRuleDetailsDialog('idp123455456')">Ensure rsyslog is Installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-overview-leaf-idp123460400" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1311","1312","1557","1851"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-4(1)","AU-12"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.1.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123460400" onclick="return openRuleDetailsDialog('idp123460400')">Enable rsyslog Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_logwatch_for_logserver" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_logwatch_for_logserver" id="rule-overview-leaf-idp123504464" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references="{}"><td style="padding-left: 57px"><a href="#rule-detail-idp123504464" onclick="return openRuleDetailsDialog('idp123504464')"> Disable Logwatch on Clients if a Logserver Exists</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>System Accounting with auditd</strong> <span class="badge">35x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure auditd Data Retention</strong> <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" id="rule-overview-leaf-idp123514144" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-1(b)","AU-11","IR-5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123514144" onclick="return openRuleDetailsDialog('idp123514144')">Configure auditd Number of Logs Retained</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" id="rule-overview-leaf-idp123518624" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-1(b)","AU-11","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.1.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123518624" onclick="return openRuleDetailsDialog('idp123518624')">Configure auditd Max Log File Size</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" id="rule-overview-leaf-idp123523120" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-1(b)","AU-4","AU-11","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.1.3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123523120" onclick="return openRuleDetailsDialog('idp123523120')">Configure auditd max_log_file_action Upon Reaching Maximum Log Size</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123527664" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["140","143"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-1(b)","AU-4","AU-5(b)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.1.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123527664" onclick="return openRuleDetailsDialog('idp123527664')">Configure auditd space_left Action on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123532192" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["140","1343"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-1(b)","AU-4","AU-5(b)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.1.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123532192" onclick="return openRuleDetailsDialog('idp123532192')">Configure auditd admin_space_left Action on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" id="rule-overview-leaf-idp123536736" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["139","144"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-1(b)","AU-4","AU-5(a)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.1.2"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.7.a"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123536736" onclick="return openRuleDetailsDialog('idp123536736')">Configure auditd mail_acct Action on Low Disk Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123541264" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1576"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-9","AU-12(1)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123541264" onclick="return openRuleDetailsDialog('idp123541264')">Configure auditd flush priority</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123545744" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["136"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-1(b)","AU-3(2)","IR-5"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123545744" onclick="return openRuleDetailsDialog('idp123545744')">Configure auditd to use audispd's syslog plugin</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure auditd Rules for Comprehensive Auditing</strong> <span class="badge">30x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_time_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_time_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Records Events that Modify Date and Time Information</strong> <span class="badge">5x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123549424" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1487","169"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.4"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123549424" onclick="return openRuleDetailsDialog('idp123549424')">Record attempts to alter time through adjtimex</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123553088" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1487","169"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.4"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123553088" onclick="return openRuleDetailsDialog('idp123553088')">Record attempts to alter time through settimeofday</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123556752" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1487","169"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123556752" onclick="return openRuleDetailsDialog('idp123556752')">Record Attempts to Alter Time Through stime</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123560400" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1487","169"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.4"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123560400" onclick="return openRuleDetailsDialog('idp123560400')">Record Attempts to Alter Time Through clock_settime</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123564064" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1487","169"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(b)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.4"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123564064" onclick="return openRuleDetailsDialog('idp123564064')">Record Attempts to Alter the localtime File</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_dac_actions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_dac_actions" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Events that Modify the System's Discretionary Access Controls</strong> <span class="badge">13x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123587360" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123587360" onclick="return openRuleDetailsDialog('idp123587360')">Record Events that Modify the System's Discretionary Access Controls - chmod</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123591024" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123591024" onclick="return openRuleDetailsDialog('idp123591024')">Record Events that Modify the System's Discretionary Access Controls - chown</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123594688" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123594688" onclick="return openRuleDetailsDialog('idp123594688')">Record Events that Modify the System's Discretionary Access Controls - fchmod</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123598352" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123598352" onclick="return openRuleDetailsDialog('idp123598352')">Record Events that Modify the System's Discretionary Access Controls - fchmodat</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123602016" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123602016" onclick="return openRuleDetailsDialog('idp123602016')">Record Events that Modify the System's Discretionary Access Controls - fchown</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123605680" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123605680" onclick="return openRuleDetailsDialog('idp123605680')">Record Events that Modify the System's Discretionary Access Controls - fchownat</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123609344" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123609344" onclick="return openRuleDetailsDialog('idp123609344')">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123613040" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123613040" onclick="return openRuleDetailsDialog('idp123613040')">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123616720" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123616720" onclick="return openRuleDetailsDialog('idp123616720')">Record Events that Modify the System's Discretionary Access Controls - lchown</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123620384" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123620384" onclick="return openRuleDetailsDialog('idp123620384')">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123624080" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123624080" onclick="return openRuleDetailsDialog('idp123624080')">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123627760" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123627760" onclick="return openRuleDetailsDialog('idp123627760')">Record Events that Modify the System's Discretionary Access Controls - removexattr</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123631440" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp123631440" onclick="return openRuleDetailsDialog('idp123631440')">Record Events that Modify the System's Discretionary Access Controls - setxattr</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123567728" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["030710","SRG–OS–000004–GPOS–00004","SRG–OS–000239–GPOS–00089","SRG–OS–000241–GPOS–00090","SRG–OS–000241–GPOS–00091","SRG–OS–000303–GPOS–00120","SRG–OS–000476–GPOS–00221"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["18","172","1403","2130"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2(4)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.5"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123567728" onclick="return openRuleDetailsDialog('idp123567728')">Record Events that Modify User/Group Information</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123571392" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.6"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123571392" onclick="return openRuleDetailsDialog('idp123571392')">Record Events that Modify the System's Network Environment</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" id="rule-overview-leaf-idp123575072" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","AU-1(b)","AU-9","IR-5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123575072" onclick="return openRuleDetailsDialog('idp123575072')">System Audit Logs Must Have Mode 0640 or Less Permissive</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" id="rule-overview-leaf-idp123578736" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000058-GPOS-00028","030120"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["163"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","AU-1(b)","AU-9","IR-5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123578736" onclick="return openRuleDetailsDialog('idp123578736')">System Audit Logs Must Be Owned By Root</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123583696" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.7"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123583696" onclick="return openRuleDetailsDialog('idp123583696')">Record Events that Modify the System's Mandatory Access Controls</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123635104" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218","030490"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["172","2884"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.8"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123635104" onclick="return openRuleDetailsDialog('idp123635104')">Record Attempts to Alter Logon and Logout Events</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_session_events" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123638752" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.9"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123638752" onclick="return openRuleDetailsDialog('idp123638752')">Record Attempts to Alter Process and Session Initiation Information</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123642416" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000064-GPOS-00033","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000392-GPOS-00172","030420"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["172","2884"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123642416" onclick="return openRuleDetailsDialog('idp123642416')">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123646112" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000327-GPOS-00127","030310"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["2234"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-2(4)","AU-6(9)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.10"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123646112" onclick="return openRuleDetailsDialog('idp123646112')">Ensure auditd Collects Information on the Use of Privileged Commands</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_media_export" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123649776" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000042-GPOS-00020","SRG-OS-000392-GPOS-00172","030530"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["135","2884"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-3(1)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.13"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123649776" onclick="return openRuleDetailsDialog('idp123649776')">Ensure auditd Collects Information on Exporting to Media (successful)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123653424" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000480-GPOS-00227","030750"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.14"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123653424" onclick="return openRuleDetailsDialog('idp123653424')">Ensure auditd Collects File Deletion Events by User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123657088" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2(7)(b)","AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.2","Req-10.2.5.b"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123657088" onclick="return openRuleDetailsDialog('idp123657088')">Ensure auditd Collects System Administrator Actions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123660752" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000471-GPOS-00216","SRG-OS-000477","GPOS-00222","030670"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["172"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(7)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-12(a)","AU-12(c)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.17"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.2.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123660752" onclick="return openRuleDetailsDialog('idp123660752')">Ensure auditd Collects Information on Kernel Module Loading and Unloading</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_immutable" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123664416" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.18"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123664416" onclick="return openRuleDetailsDialog('idp123664416')">Make the auditd Configuration Immutable</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled" id="rule-overview-leaf-idp123506832" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"":["SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000042-GPOS-00021","SRG-OS-000254-GPOS-00095","SRG-OS-000255-GPOS-00096","030010"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["126","131"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-3","AC-17(1)","AU-1(b)","AU-10","AU-12(a)","AU-12(c)","AU-14(1)","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123506832" onclick="return openRuleDetailsDialog('idp123506832')">Enable auditd Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_bootloader_audit_argument" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123510480" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1464","130"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(1)","AU-14(1)","AU-1(b)","AU-2(a)","AU-2(c)","AU-2(d)","AU-10","IR-5"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["5.2.3"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123510480" onclick="return openRuleDetailsDialog('idp123510480')">Enable Auditing for Processes Which Start Prior to the Audit Daemon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px"><strong>Services</strong> <span class="badge">18x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Obsolete Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_obsolete");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Xinetd<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_inetd_and_xinetd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled" id="rule-overview-leaf-idp123668048" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["305"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123668048" onclick="return openRuleDetailsDialog('idp123668048')">Disable xinetd Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xinetd_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-overview-leaf-idp123671696" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["305"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.11"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123671696" onclick="return openRuleDetailsDialog('idp123671696')">Uninstall xinetd Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed" id="rule-overview-leaf-idp123675344" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"":["SRG-OS-000480-GPOS-00227","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123675344" onclick="return openRuleDetailsDialog('idp123675344')">Install tcp_wrappers Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Telnet<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_telnet");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled" id="rule-overview-leaf-idp123680304" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7","IA-5(1)(c)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140922 by JL"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123680304" onclick="return openRuleDetailsDialog('idp123680304')">Disable telnet Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-overview-leaf-idp123683952" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"":["SRG-OS-000095-GPOS-00049","021910"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["381"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7(a)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123683952" onclick="return openRuleDetailsDialog('idp123683952')">Uninstall telnet-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-overview-leaf-idp123687616" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123687616" onclick="return openRuleDetailsDialog('idp123687616')">Remove telnet Clients</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Rlogin, Rsh, and Rexec<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_r_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-overview-leaf-idp123691264" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"":["SRG-OS-000095-GPOS-00049","020000"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["381"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7(a)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.3"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123691264" onclick="return openRuleDetailsDialog('idp123691264')">Uninstall rsh-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled" id="rule-overview-leaf-idp123694928" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["68","1436"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123694928" onclick="return openRuleDetailsDialog('idp123694928')">Disable rexec Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsh_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled" id="rule-overview-leaf-idp123698576" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["68","1436"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7","IA-5(1)(c)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123698576" onclick="return openRuleDetailsDialog('idp123698576')">Disable rsh Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-overview-leaf-idp123702208" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.4"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140530 by JL"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123702208" onclick="return openRuleDetailsDialog('idp123702208')">Uninstall rsh Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled" id="rule-overview-leaf-idp123705840" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1436"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7","IA-5(1)(c)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123705840" onclick="return openRuleDetailsDialog('idp123705840')">Disable rlogin Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files" id="rule-overview-leaf-idp123709488" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1436"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123709488" onclick="return openRuleDetailsDialog('idp123709488')">Remove Rsh Trust Files</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">NIS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nis");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-overview-leaf-idp123713120" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"":["SRG-OS-000095-GPOS-00049","020010"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["381"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7(a)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123713120" onclick="return openRuleDetailsDialog('idp123713120')">Uninstall ypserv Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_ypbind_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_ypbind_disabled" id="rule-overview-leaf-idp123716768" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["305"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123716768" onclick="return openRuleDetailsDialog('idp123716768')">Disable ypbind Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypbind_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-overview-leaf-idp123720416" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123720416" onclick="return openRuleDetailsDialog('idp123720416')">Remove NIS Client</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_tftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_tftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">TFTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_tftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_tftp_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_tftp_disabled" id="rule-overview-leaf-idp123724064" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1436"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123724064" onclick="return openRuleDetailsDialog('idp123724064')">Disable tftp Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-overview-leaf-idp123728976" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"":["SRG-OS-000480-GPOS-00227","040500"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["318","368","1812","1813","1814"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-6(c)","CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121026 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123728976" onclick="return openRuleDetailsDialog('idp123728976')">Uninstall tftp-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tftp_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tftp_removed" id="rule-overview-leaf-idp123732640" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123732640" onclick="return openRuleDetailsDialog('idp123732640')">Remove tftp Daemon</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" id="rule-overview-leaf-idp123737552" data-tt-parent-id="xccdf_org.ssgproject.content_group_tftp" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123737552" onclick="return openRuleDetailsDialog('idp123737552')">Ensure tftp Daemon Uses Secure Mode</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Chat/Messaging Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_talk");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-overview-leaf-idp123742480" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.10"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140625 by JL"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123742480" onclick="return openRuleDetailsDialog('idp123742480')">Uninstall talk-server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-overview-leaf-idp123746160" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.9"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140625 by JL"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123746160" onclick="return openRuleDetailsDialog('idp123746160')">Uninstall talk Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_base" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_base" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Base Services</strong> <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_abrtd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_abrtd_disabled" id="rule-overview-leaf-idp123749792" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20140921 by JL"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123749792" onclick="return openRuleDetailsDialog('idp123749792')">Disable Automatic Bug Reporting Tool (abrtd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_acpid_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_acpid_disabled" id="rule-overview-leaf-idp123754720" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123754720" onclick="return openRuleDetailsDialog('idp123754720')">Disable Advanced Configuration and Power Interface (acpid)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_certmonger_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_certmonger_disabled" id="rule-overview-leaf-idp123759648" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123759648" onclick="return openRuleDetailsDialog('idp123759648')">Disable Certmonger Service (certmonger)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_cgconfig_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_cgconfig_disabled" id="rule-overview-leaf-idp123764608" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123764608" onclick="return openRuleDetailsDialog('idp123764608')">Disable Control Group Config (cgconfig)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_cgred_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_cgred_disabled" id="rule-overview-leaf-idp123769552" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123769552" onclick="return openRuleDetailsDialog('idp123769552')">Disable Control Group Rules Engine (cgred)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_cpupower_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_cpupower_disabled" id="rule-overview-leaf-idp123774480" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123774480" onclick="return openRuleDetailsDialog('idp123774480')">Disable CPU Speed (cpupower)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_irqbalance_enabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_irqbalance_enabled" id="rule-overview-leaf-idp123779424" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123779424" onclick="return openRuleDetailsDialog('idp123779424')">Enable IRQ Balance (irqbalance)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_kdump_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123784384" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"":["SRG-OS-000480-GPOS-00227","021230"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7","CM-6(b)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123784384" onclick="return openRuleDetailsDialog('idp123784384')">Disable KDump Kernel Crash Analyzer (kdump)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled" id="rule-overview-leaf-idp123788032" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123788032" onclick="return openRuleDetailsDialog('idp123788032')">Disable Software RAID Monitor (mdmonitor)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_messagebus_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_messagebus_disabled" id="rule-overview-leaf-idp123792992" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123792992" onclick="return openRuleDetailsDialog('idp123792992')">Disable D-Bus IPC Service (messagebus)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_netconsole_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_netconsole_disabled" id="rule-overview-leaf-idp123797952" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["381"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123797952" onclick="return openRuleDetailsDialog('idp123797952')">Disable Network Console (netconsole)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpdate_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpdate_disabled" id="rule-overview-leaf-idp123802912" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["382"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123802912" onclick="return openRuleDetailsDialog('idp123802912')">Disable ntpdate Service (ntpdate)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled" id="rule-overview-leaf-idp123807840" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["381"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123807840" onclick="return openRuleDetailsDialog('idp123807840')">Disable Odd Job Daemon (oddjobd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_portreserve_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_portreserve_disabled" id="rule-overview-leaf-idp123812768" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123812768" onclick="return openRuleDetailsDialog('idp123812768')">Disable Portreserve (portreserve)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_psacct_enabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_psacct_enabled" id="rule-overview-leaf-idp123817728" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-12","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123817728" onclick="return openRuleDetailsDialog('idp123817728')">Enable Process Accounting (psacct)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_qpidd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_qpidd_disabled" id="rule-overview-leaf-idp123822656" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["382"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123822656" onclick="return openRuleDetailsDialog('idp123822656')">Disable Apache Qpid (qpidd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_quota_nld_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_quota_nld_disabled" id="rule-overview-leaf-idp123827584" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123827584" onclick="return openRuleDetailsDialog('idp123827584')">Disable Quota Netlink (quota_nld)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled" id="rule-overview-leaf-idp123832544" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["382"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","AC-4","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123832544" onclick="return openRuleDetailsDialog('idp123832544')">Disable Network Router Discovery Daemon (rdisc)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rhnsd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rhnsd_disabled" id="rule-overview-leaf-idp123837472" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["382"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["1.2.4"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123837472" onclick="return openRuleDetailsDialog('idp123837472')">Disable Red Hat Network Service (rhnsd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled" id="rule-overview-leaf-idp123842400" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123842400" onclick="return openRuleDetailsDialog('idp123842400')">Disable Red Hat Subscription Manager Daemon (rhsmcertd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_saslauthd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_saslauthd_disabled" id="rule-overview-leaf-idp123847360" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8)","CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123847360" onclick="return openRuleDetailsDialog('idp123847360')">Disable Cyrus SASL Authentication Daemon (saslauthd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_smartd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_smartd_disabled" id="rule-overview-leaf-idp123852320" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123852320" onclick="return openRuleDetailsDialog('idp123852320')">Disable SMART Disk Monitoring Service (smartd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_sysstat_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_sysstat_disabled" id="rule-overview-leaf-idp123857248" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123857248" onclick="return openRuleDetailsDialog('idp123857248')">Disable System Statistics Reset Service (sysstat)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Cron and At Daemons<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_cron_and_at");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-tt-parent-id="xccdf_org.ssgproject.content_group_cron_and_at"><td colspan="3" style="padding-left: 57px">Restrict at and cron to Authorized Users if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_restrict_at_cron_users");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled" id="rule-overview-leaf-idp123862176" data-tt-parent-id="xccdf_org.ssgproject.content_group_cron_and_at" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.1.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123862176" onclick="return openRuleDetailsDialog('idp123862176')">Enable cron Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_anacron" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_anacron" id="rule-overview-leaf-idp123865808" data-tt-parent-id="xccdf_org.ssgproject.content_group_cron_and_at" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123865808" onclick="return openRuleDetailsDialog('idp123865808')">Disable anacron Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled" id="rule-overview-leaf-idp123869440" data-tt-parent-id="xccdf_org.ssgproject.content_group_cron_and_at" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["381"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123869440" onclick="return openRuleDetailsDialog('idp123869440')">Disable At Service (atd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>SSH Server</strong> <span class="badge">14x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px"><strong>Configure OpenSSH Server if Necessary</strong> <span class="badge">13x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server"><td colspan="3" style="padding-left: 76px">Strengthen Firewall Configuration if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_sshd_strengthen_firewall");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123898832" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000074-GPOS-00042","SRG-OS-000480-GPOS-00227","040590"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["197","366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8).1(ii)","IA-5(1)(c)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.1"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123898832" onclick="return openRuleDetailsDialog('idp123898832')">Allow Only SSH Protocol 2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_limit_user_access" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_limit_user_access" id="rule-overview-leaf-idp123902496" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123902496" onclick="return openRuleDetailsDialog('idp123902496')">Limit Users' SSH Access</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-overview-leaf-idp123904864" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000364-GPOS-00151","040660"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["368","318","1812","1813","1814"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(c)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123904864" onclick="return openRuleDetailsDialog('idp123904864')">Disable GSSAPI Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123908512" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000364-GPOS-00151","040670"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["368","318","1812","1813","1814"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(c)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123908512" onclick="return openRuleDetailsDialog('idp123908512')">Disable Kerberos Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123912160" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00227","040680"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123912160" onclick="return openRuleDetailsDialog('idp123912160')">Enable Use of StictModes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123915808" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00227","040690"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123915808" onclick="return openRuleDetailsDialog('idp123915808')">Enable Use of Privilege Separation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_compression" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123919456" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00227","040700"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123919456" onclick="return openRuleDetailsDialog('idp123919456')">Disable Compression Or Set Compression to delayed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_print_last_log" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-overview-leaf-idp123923104" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00227","040300"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-9"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123923104" onclick="return openRuleDetailsDialog('idp123923104')">Print Last Log</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123928016" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109","040190"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1133","2361"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2(5)","SA-8(i)","AC-12"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.12"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123928016" onclick="return openRuleDetailsDialog('idp123928016')">Set SSH Idle Timeout Interval</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123932480" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1133","2361"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-2(5)","SA-8","AC-12"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.12"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123932480" onclick="return openRuleDetailsDialog('idp123932480')">Set SSH Client Alive Count</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-overview-leaf-idp123936112" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["unknown"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123936112" onclick="return openRuleDetailsDialog('idp123936112')">Disable SSH Support for .rhosts Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_host_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-overview-leaf-idp123939744" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00229","010442"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3","CM-6(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123939744" onclick="return openRuleDetailsDialog('idp123939744')">Disable Host-Based Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_x11_forwarding" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_enable_x11_forwarding" id="rule-overview-leaf-idp123943376" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00227","040540"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-2(1)(b)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123943376" onclick="return openRuleDetailsDialog('idp123943376')">Enable Encrypted X11 Fordwarding</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123947008" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00227","040310"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3","AC-6(2)","IA-2(1)","IA-2(5)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.8"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123947008" onclick="return openRuleDetailsDialog('idp123947008')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123950656" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00229","010440"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3","CM-6(b)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123950656" onclick="return openRuleDetailsDialog('idp123950656')">Disable SSH Access via Empty Passwords</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123954320" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088","040170"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["48","50","1384","1385","1386","1387","1388"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-8(a)","AC-8(b)","AC-8(c)(1)","AC-8(c)(2)","AC-8(c)(3)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.14"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123954320" onclick="return openRuleDetailsDialog('idp123954320')">Enable SSH Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123957984" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-GPOS-00229","010441"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.10"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123957984" onclick="return openRuleDetailsDialog('idp123957984')">Do Not Allow SSH Environment Options</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123961648" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000033-GPOS-00014","SRG-OS-000120-GPOS-00061","SRG-OS-000125-GPOS-00065","SRG-OS-000250-GPOS-00093","SRG-OS-000393-GPOS-00173","040110"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["68","366","803"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-3","AC-17(2)","AU-10(5)","CM-6(b)","IA-5(1)(c)","IA-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["6.2.11"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123961648" onclick="return openRuleDetailsDialog('idp123961648')">Use Only Approved Ciphers</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123965312" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000250-GPOS-00093","040620"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["68","803","1453","2449","2450"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(2)","IA-7","SC-13"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123965312" onclick="return openRuleDetailsDialog('idp123965312')">Use Only FIPS Approved MACs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openssh-server_installed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_openssh-server_installed" id="rule-overview-leaf-idp123874352" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS-000423-GPOS-00187","SRG-OS-000423-GPOS-00188","SRG-OS-000423-GPOS-00189","SRG-OS000423-GPOS-00190","040260"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["2418","2420","2421","2422"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-8"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123874352" onclick="return openRuleDetailsDialog('idp123874352')">Install the OpenSSH Server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_sshd_enabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_sshd_enabled" id="rule-overview-leaf-idp123879312" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS-000423-GPOS-00187","SRG-OS-000423-GPOS-00188","SRG-OS-000423-GPOS-00189","SRG-OS000423-GPOS-00190","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["2418","2420","2421","2422"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-8"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123879312" onclick="return openRuleDetailsDialog('idp123879312')">Enable the OpenSSH Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_sshd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_sshd_disabled" id="rule-overview-leaf-idp123884224" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123884224" onclick="return openRuleDetailsDialog('idp123884224')">Disable SSH Server If Possible (Unusual)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" id="rule-overview-leaf-idp123887856" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS-000480-GPOS-00227","040640"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123887856" onclick="return openRuleDetailsDialog('idp123887856')">Verify Permissions on SSH Server Public *.pub Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp123891520" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"":["SRG-OS-000480-GPOS-00227","040650"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123891520" onclick="return openRuleDetailsDialog('idp123891520')">Verify Permissions on SSH Server Private *_key Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_firewalld_sshd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_firewalld_sshd_disabled" id="rule-overview-leaf-idp123895184" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references="{}"><td style="padding-left: 57px"><a href="#rule-detail-idp123895184" onclick="return openRuleDetailsDialog('idp123895184')">Remove SSH Server firewalld Firewall exception (Unusual)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_xwindows" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_xwindows" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">X Window System<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_xwindows");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_xwindows" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_xwindows" data-tt-parent-id="xccdf_org.ssgproject.content_group_xwindows"><td colspan="3" style="padding-left: 57px">Disable X Windows<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_xwindows");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_xwindows_runlevel_setting" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_xwindows_runlevel_setting" id="rule-overview-leaf-idp123968960" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_xwindows" data-references='{"":["SRG-OS-000480-GPOS-00227","040561"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8).1(ii)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123968960" onclick="return openRuleDetailsDialog('idp123968960')">Disable X Windows Startup By Setting Default Target</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" id="rule-overview-leaf-idp123972624" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_xwindows" data-references='{"":["SRG-OS-000480-GPOS-00227","040560"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-17(8).1(ii)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123972624" onclick="return openRuleDetailsDialog('idp123972624')">Remove the X Windows Package Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_avahi" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_avahi" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Avahi Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_avahi");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disable_avahi_group" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disable_avahi_group" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi"><td colspan="3" style="padding-left: 57px">Disable Avahi Server if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disable_avahi_group");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" id="rule-overview-leaf-idp123976304" data-tt-parent-id="xccdf_org.ssgproject.content_group_disable_avahi_group" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123976304" onclick="return openRuleDetailsDialog('idp123976304')">Disable Avahi Server Software</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_avahi_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_avahi_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi"><td colspan="3" style="padding-left: 57px">Configure Avahi if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_avahi_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_avahi_ip_only" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_avahi_ip_only" id="rule-overview-leaf-idp123981264" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123981264" onclick="return openRuleDetailsDialog('idp123981264')">Serve Avahi Only via Required Protocol</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_avahi_check_ttl" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_avahi_check_ttl" id="rule-overview-leaf-idp123983616" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123983616" onclick="return openRuleDetailsDialog('idp123983616')">Check Avahi Responses' TTL Field</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_avahi_prevent_port_sharing" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_avahi_prevent_port_sharing" id="rule-overview-leaf-idp123985968" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123985968" onclick="return openRuleDetailsDialog('idp123985968')">Prevent Other Programs from Using Avahi's Port</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_avahi_disable_publishing" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_avahi_disable_publishing" id="rule-overview-leaf-idp123988336" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123988336" onclick="return openRuleDetailsDialog('idp123988336')">Disable Avahi Publishing</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_avahi_restrict_published_information" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_avahi_restrict_published_information" id="rule-overview-leaf-idp123990704" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123990704" onclick="return openRuleDetailsDialog('idp123990704')">Restrict Information Published by Avahi</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_printing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_printing" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Print Support<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_printing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_printing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_printing" data-tt-parent-id="xccdf_org.ssgproject.content_group_printing"><td colspan="3" style="padding-left: 57px">Configure the CUPS Service if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configure_printing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_cups_disable_browsing" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_cups_disable_browsing" id="rule-overview-leaf-idp123997984" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_printing" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp123997984" onclick="return openRuleDetailsDialog('idp123997984')">Disable Printer Browsing Entirely if Possible</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_cups_disable_printserver" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_cups_disable_printserver" id="rule-overview-leaf-idp124001616" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_printing" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124001616" onclick="return openRuleDetailsDialog('idp124001616')">Disable Print Server Capabilities</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_cups_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_cups_disabled" id="rule-overview-leaf-idp123993072" data-tt-parent-id="xccdf_org.ssgproject.content_group_printing" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.4"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp123993072" onclick="return openRuleDetailsDialog('idp123993072')">Disable the CUPS Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dhcp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">DHCP<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dhcp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp"><td colspan="3" style="padding-left: 57px">Disable DHCP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_dhcp_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled" id="rule-overview-leaf-idp124005264" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124005264" onclick="return openRuleDetailsDialog('idp124005264')">Disable DHCP Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dhcp_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed" id="rule-overview-leaf-idp124010192" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.5"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124010192" onclick="return openRuleDetailsDialog('idp124010192')">Uninstall DHCP Server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp"><td colspan="3" style="padding-left: 57px">Disable DHCP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dhcp_server_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_minimize_served_info" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_minimize_served_info" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration"><td colspan="3" style="padding-left: 76px">Minimize Served Information<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dhcp_server_minimize_served_info");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns" id="rule-overview-leaf-idp124015104" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124015104" onclick="return openRuleDetailsDialog('idp124015104')">Do Not Use Dynamic DNS</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline" id="rule-overview-leaf-idp124017472" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124017472" onclick="return openRuleDetailsDialog('idp124017472')">Deny Decline Messages</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp" id="rule-overview-leaf-idp124019840" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124019840" onclick="return openRuleDetailsDialog('idp124019840')">Deny BOOTP Queries</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dhcp_server_configure_logging" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dhcp_server_configure_logging" id="rule-overview-leaf-idp124022208" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-12"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124022208" onclick="return openRuleDetailsDialog('idp124022208')">Configure Logging</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp"><td colspan="3" style="padding-left: 57px">Disable DHCP Client<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_dhcp_client");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg" id="rule-overview-leaf-idp124024576" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124024576" onclick="return openRuleDetailsDialog('idp124024576')">Disable DHCP Client</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp_client_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_client_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp"><td colspan="3" style="padding-left: 57px">Configure DHCP Client if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dhcp_client_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp_client_restrict_options" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options" data-tt-parent-id="xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td colspan="3" style="padding-left: 76px">Minimize the DHCP-Configured Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dhcp_client_restrict_options");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Network Time Protocol</strong> <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp124029536" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["160"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-8(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp124029536" onclick="return openRuleDetailsDialog('idp124029536')">Enable the NTP Daemon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp124033200" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["160"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-8(1)"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.6"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4.1","Req-10.4.3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp124033200" onclick="return openRuleDetailsDialog('idp124033200')">Specify a Remote NTP Server</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idp124036864" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AU-8(1)"],"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf":["Req-10.4.3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp124036864" onclick="return openRuleDetailsDialog('idp124036864')">Specify Additional Remote NTP Servers</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Mail Server Software<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mail");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_client" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail"><td colspan="3" style="padding-left: 57px">Configure SMTP For Mail Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_client");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" id="rule-overview-leaf-idp124050400" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_client" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["382"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.16"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124050400" onclick="return openRuleDetailsDialog('idp124050400')">Disable Postfix Network Listening</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_harden_os" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_harden_os" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail"><td colspan="3" style="padding-left: 57px">Configure Operating System to Protect Mail Server
<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_harden_os");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_harden_os"><td colspan="3" style="padding-left: 76px">Configure SSL Certificates for Use with SMTP AUTH<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"><td colspan="3" style="padding-left: 95px">Ensure Security of Postfix SSL Certificate<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_install_ssl_cert");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_harden_os"><td colspan="3" style="padding-left: 76px">Configure Postfix if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_configuration");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_denial_of_service" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_denial_of_service" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_configuration"><td colspan="3" style="padding-left: 95px">Configure Postfix Resource Usage to Limit Denial of Service Attacks<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_denial_of_service");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_configuration"><td colspan="3" style="padding-left: 95px">Control Mail Relaying<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_mail_relay");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td colspan="3" style="padding-left: 114px">Configure Trusted Networks and Hosts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td colspan="3" style="padding-left: 114px">Enact SMTP Relay Restrictions<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td colspan="3" style="padding-left: 114px">Enact SMTP Recipient Restrictions<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td colspan="3" style="padding-left: 114px">Require SMTP AUTH Before Relaying from Untrusted Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td colspan="3" style="padding-left: 114px">Use TLS for SMTP AUTH<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_postfix_server_banner" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_postfix_server_banner" id="rule-overview-leaf-idp124055360" data-tt-parent-id="xccdf_org.ssgproject.content_group_postfix_server_configuration" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-22","AU-13"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124055360" onclick="return openRuleDetailsDialog('idp124055360')">Configure SMTP Greeting Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_postfix_enabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_postfix_enabled" id="rule-overview-leaf-idp124040544" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail" data-references='{"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp124040544" onclick="return openRuleDetailsDialog('idp124040544')">Enable Postfix Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-overview-leaf-idp124045472" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 57px"><a href="#rule-detail-idp124045472" onclick="return openRuleDetailsDialog('idp124045472')">Uninstall Sendmail Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ldap" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ldap" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">LDAP<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ldap");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_openldap_client" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_openldap_client" data-tt-parent-id="xccdf_org.ssgproject.content_group_ldap"><td colspan="3" style="padding-left: 57px">Configure OpenLDAP Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_openldap_client");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ldap_client_start_tls" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ldap_client_start_tls" id="rule-overview-leaf-idp124058992" data-tt-parent-id="xccdf_org.ssgproject.content_group_openldap_client" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["776","778","1453"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124058992" onclick="return openRuleDetailsDialog('idp124058992')">Configure LDAP Client to Use TLS For All Transactions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath" id="rule-overview-leaf-idp124063904" data-tt-parent-id="xccdf_org.ssgproject.content_group_openldap_client" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["776","778","1453"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124063904" onclick="return openRuleDetailsDialog('idp124063904')">Configure Certificate Directives for LDAP Use of TLS</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_openldap_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_openldap_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ldap"><td colspan="3" style="padding-left: 57px">Configure OpenLDAP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_openldap_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_openldap_server"><td colspan="3" style="padding-left: 76px">Install and Protect LDAP Certificate Files<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openldap-servers_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_openldap-servers_removed" id="rule-overview-leaf-idp124068864" data-tt-parent-id="xccdf_org.ssgproject.content_group_openldap_server" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.7"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121024 by DS"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124068864" onclick="return openRuleDetailsDialog('idp124068864')">Uninstall openldap-servers Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">NFS and RPC<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_and_rpc");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_nfs" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_nfs" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"><td colspan="3" style="padding-left: 57px">Disable All NFS Services if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_nfs");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_nfs_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_nfs_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfs"><td colspan="3" style="padding-left: 76px">Disable Services Used Only by NFS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_nfs_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_nfslock_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_nfslock_disabled" id="rule-overview-leaf-idp124073824" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfs_services" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124073824" onclick="return openRuleDetailsDialog('idp124073824')">Disable Network File System Lock Service (nfslock)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" id="rule-overview-leaf-idp124077472" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfs_services" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124077472" onclick="return openRuleDetailsDialog('idp124077472')">Disable Secure RPC Client Service (rpcgssd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rpcbind_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rpcbind_disabled" id="rule-overview-leaf-idp124081120" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfs_services" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124081120" onclick="return openRuleDetailsDialog('idp124081120')">Disable rpcbind Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" id="rule-overview-leaf-idp124084768" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfs_services" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.8"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124084768" onclick="return openRuleDetailsDialog('idp124084768')">Disable RPC ID Mapping Service (rpcidmapd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"><td colspan="3" style="padding-left: 57px">Configure All Machines which Use NFS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_configuring_all_machines");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines"><td colspan="3" style="padding-left: 76px">Make Each Machine a Client or a Server, not Both<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines"><td colspan="3" style="padding-left: 76px">Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port" id="rule-overview-leaf-idp124088432" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124088432" onclick="return openRuleDetailsDialog('idp124088432')">Configure lockd to use static TCP port</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port" id="rule-overview-leaf-idp124090800" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124090800" onclick="return openRuleDetailsDialog('idp124090800')">Configure lockd to use static UDP port</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port" id="rule-overview-leaf-idp124093168" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124093168" onclick="return openRuleDetailsDialog('idp124093168')">Configure statd to use static port</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port" id="rule-overview-leaf-idp124095520" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124095520" onclick="return openRuleDetailsDialog('idp124095520')">Configure mountd to use static port</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_clients" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"><td colspan="3" style="padding-left: 57px">Configure NFS Clients<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_configuring_clients");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_nfsd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_nfsd" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td colspan="3" style="padding-left: 76px">Disable NFS Server Daemons<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_nfsd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_nfs_no_anonymous" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_nfs_no_anonymous" id="rule-overview-leaf-idp124097872" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfsd" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124097872" onclick="return openRuleDetailsDialog('idp124097872')">Specify UID and GID for Anonymous NFS Connections</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_nfs_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_nfs_disabled" id="rule-overview-leaf-idp124101504" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfsd" data-references='{"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124101504" onclick="return openRuleDetailsDialog('idp124101504')">Disable Network File System (nfs)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" id="rule-overview-leaf-idp124106416" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_nfsd" data-references='{"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124106416" onclick="return openRuleDetailsDialog('idp124106416')">Disable Secure RPC Server Service (rpcsvcgssd)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td colspan="3" style="padding-left: 76px">Mount Remote Filesystems with Restrictive Options<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mounting_remote_filesystems");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems" id="rule-overview-leaf-idp124111376" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","MP-2"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124111376" onclick="return openRuleDetailsDialog('idp124111376')">Mount Remote Filesystems with nodev</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" id="rule-overview-leaf-idp124116336" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121025 by DS"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124116336" onclick="return openRuleDetailsDialog('idp124116336')">Mount Remote Filesystems with nosuid</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" id="rule-overview-leaf-idp124121312" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-references='{"":["SRG-OS-000480-GPOS-00227","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-14(1)"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124121312" onclick="return openRuleDetailsDialog('idp124121312')">Mount Remote Filesystems with Kerberos Security</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_servers" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"><td colspan="3" style="padding-left: 57px">Configure NFS Servers<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_configuring_servers");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_exports_restrictively" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_exports_restrictively" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td colspan="3" style="padding-left: 76px">Configure the Exports File Restrictively<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configure_exports_restrictively");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td colspan="3" style="padding-left: 76px">Use Access Lists to Enforce Authorization Restrictions<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_export_filesystems_read_only" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_export_filesystems_read_only" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td colspan="3" style="padding-left: 76px">Export Filesystems Read-Only if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_export_filesystems_read_only");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports" id="rule-overview-leaf-idp124126288" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124126288" onclick="return openRuleDetailsDialog('idp124126288')">Use Root-Squashing on All Exports</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports" id="rule-overview-leaf-idp124128656" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124128656" onclick="return openRuleDetailsDialog('idp124128656')">Restrict NFS Clients to Privileged Ports</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_insecure_locks_exports" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_insecure_locks_exports" id="rule-overview-leaf-idp124131040" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["764"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124131040" onclick="return openRuleDetailsDialog('idp124131040')">Ensure Insecure File Locking is Not Allowed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports" id="rule-overview-leaf-idp124135984" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers" data-references='{"":["SRG-OS-000480-GPOS-00227","040740"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["AC-14(1)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124135984" onclick="return openRuleDetailsDialog('idp124135984')">Use Kerberos Security on All Exports</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dns" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">DNS Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dns");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns"><td colspan="3" style="padding-left: 57px">Disable DNS Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_dns_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_named_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_named_disabled" id="rule-overview-leaf-idp124140944" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dns_server" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124140944" onclick="return openRuleDetailsDialog('idp124140944')">Disable DNS Server</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_bind_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_bind_removed" id="rule-overview-leaf-idp124145872" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dns_server" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.9"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124145872" onclick="return openRuleDetailsDialog('idp124145872')">Uninstall bind Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns"><td colspan="3" style="padding-left: 57px">Isolate DNS from Other Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dns_server_isolation");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns_server_isolation"><td colspan="3" style="padding-left: 76px">Run DNS Software on Dedicated Servers<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dns_server_dedicated");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns_server_isolation"><td colspan="3" style="padding-left: 76px">Run DNS Software in a chroot Jail<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dns_server_chroot");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns"><td colspan="3" style="padding-left: 57px">Protect DNS Data from Tampering or Attack<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dns_server_protection");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns_server_protection"><td colspan="3" style="padding-left: 76px">Run Separate DNS Servers for External and Internal Queries<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dns_server_separate_internal_external");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_partition_with_views" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns_server_protection"><td colspan="3" style="padding-left: 76px">Use Views to Partition External and Internal Information<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dns_server_partition_with_views");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dns_server_disable_zone_transfers" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dns_server_disable_zone_transfers" id="rule-overview-leaf-idp124150800" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns_server_protection" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124150800" onclick="return openRuleDetailsDialog('idp124150800')">Disable Zone Transfers from the Nameserver</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dns_server_authenticate_zone_transfers" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dns_server_authenticate_zone_transfers" id="rule-overview-leaf-idp124153168" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns_server_protection" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124153168" onclick="return openRuleDetailsDialog('idp124153168')">Authenticate Zone Transfers</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dns_server_disable_dynamic_updates" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dns_server_disable_dynamic_updates" id="rule-overview-leaf-idp124155552" data-tt-parent-id="xccdf_org.ssgproject.content_group_dns_server_protection" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124155552" onclick="return openRuleDetailsDialog('idp124155552')">Disable Dynamic Updates</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">FTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp"><td colspan="3" style="padding-left: 57px">Disable vsftpd if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_vsftpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled" id="rule-overview-leaf-idp124157920" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1436"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124157920" onclick="return openRuleDetailsDialog('idp124157920')">Disable vsftpd Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed" id="rule-overview-leaf-idp124162848" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" data-references='{"":["SRG-OS-000480-GPOS-00227","040490"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-6(b)","CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.10"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124162848" onclick="return openRuleDetailsDialog('idp124162848')">Uninstall vsftpd Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp"><td colspan="3" style="padding-left: 57px">Use vsftpd to Provide FTP Service if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp_use_vsftpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed" id="rule-overview-leaf-idp124167776" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124167776" onclick="return openRuleDetailsDialog('idp124167776')">Install vsftpd Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp"><td colspan="3" style="padding-left: 57px">Use vsftpd to Provide FTP Service if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp_configure_vsftpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td colspan="3" style="padding-left: 76px">Restrict the Set of Users Allowed to Access FTP<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp_restrict_users");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_limit_users" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp_limit_users" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"><td colspan="3" style="padding-left: 95px">Limit Users Allowed FTP Access if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp_limit_users");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon" id="rule-overview-leaf-idp124179968" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_restrict_users" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7","AC-3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124179968" onclick="return openRuleDetailsDialog('idp124179968')">Restrict Access to Anonymous Users if Possible</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_firewall" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_firewall" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td colspan="3" style="padding-left: 76px">Configure Firewalls to Protect the FTP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ftp_configure_firewall");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions" id="rule-overview-leaf-idp124171424" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124171424" onclick="return openRuleDetailsDialog('idp124171424')">Enable Logging of All FTP Transactions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner" id="rule-overview-leaf-idp124176336" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["48"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124176336" onclick="return openRuleDetailsDialog('idp124176336')">Create Warning Banners for All FTP Users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads" id="rule-overview-leaf-idp124182320" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124182320" onclick="return openRuleDetailsDialog('idp124182320')">Disable FTP Uploads if Possible</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition" id="rule-overview-leaf-idp124184672" data-tt-parent-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124184672" onclick="return openRuleDetailsDialog('idp124184672')">Place the FTP Home Directory on its Own Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_http" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_http" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Web Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_http");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_http"><td colspan="3" style="padding-left: 57px">Disable Apache if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_httpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_httpd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_httpd_disabled" id="rule-overview-leaf-idp124187024" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_httpd" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124187024" onclick="return openRuleDetailsDialog('idp124187024')">Disable httpd Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed" id="rule-overview-leaf-idp124191952" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_httpd" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"],"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.11"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124191952" onclick="return openRuleDetailsDialog('idp124191952')">Uninstall httpd Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_installing_httpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_installing_httpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_http"><td colspan="3" style="padding-left: 57px">Install Apache if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_installing_httpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" data-tt-parent-id="xccdf_org.ssgproject.content_group_installing_httpd"><td colspan="3" style="padding-left: 76px">Confirm Minimal Built-in Modules Installed<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd" data-tt-parent-id="xccdf_org.ssgproject.content_group_http"><td colspan="3" style="padding-left: 57px">Secure Apache Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_securing_httpd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" data-tt-parent-id="xccdf_org.ssgproject.content_group_securing_httpd"><td colspan="3" style="padding-left: 76px">Restrict Web Server Information Leakage<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod" id="rule-overview-leaf-idp124196864" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124196864" onclick="return openRuleDetailsDialog('idp124196864')">Set httpd ServerTokens Directive to Prod</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_serversignature_off" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_serversignature_off" id="rule-overview-leaf-idp124199232" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idp124199232" onclick="return openRuleDetailsDialog('idp124199232')">Set httpd ServerSignature Directive to Off</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" data-tt-parent-id="xccdf_org.ssgproject.content_group_securing_httpd"><td colspan="3" style="padding-left: 76px">Minimize Web Server Loadable Modules<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_core_modules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_core_modules" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules"><td colspan="3" style="padding-left: 95px">httpd Core Modules<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_core_modules");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_basic_authentication" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_basic_authentication" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules"><td colspan="3" style="padding-left: 114px">Minimize Modules for HTTP Basic Authentication<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_basic_authentication");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_optional_components" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_optional_components" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules"><td colspan="3" style="padding-left: 114px">Minimize Various Optional Components<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_optional_components");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules"><td colspan="3" style="padding-left: 114px">Minimize Configuration Files Included<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_digest_authentication" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_digest_authentication" id="rule-overview-leaf-idp124201600" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124201600" onclick="return openRuleDetailsDialog('idp124201600')">Disable HTTP Digest Authentication</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_mod_rewrite" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_mod_rewrite" id="rule-overview-leaf-idp124203968" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124203968" onclick="return openRuleDetailsDialog('idp124203968')">Disable HTTP mod_rewrite</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_ldap_support" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_ldap_support" id="rule-overview-leaf-idp124206320" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124206320" onclick="return openRuleDetailsDialog('idp124206320')">Disable LDAP Support</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_side_includes" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_side_includes" id="rule-overview-leaf-idp124208672" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124208672" onclick="return openRuleDetailsDialog('idp124208672')">Disable Server Side Includes</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_mime_magic" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_mime_magic" id="rule-overview-leaf-idp124211040" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124211040" onclick="return openRuleDetailsDialog('idp124211040')">Disable MIME Magic</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_webdav" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_webdav" id="rule-overview-leaf-idp124213392" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124213392" onclick="return openRuleDetailsDialog('idp124213392')">Disable WebDAV (Distributed Authoring and Versioning)</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_activity_status" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_activity_status" id="rule-overview-leaf-idp124215744" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124215744" onclick="return openRuleDetailsDialog('idp124215744')">Disable Server Activity Status</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_server_configuration_display" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_server_configuration_display" id="rule-overview-leaf-idp124218112" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124218112" onclick="return openRuleDetailsDialog('idp124218112')">Disable Web Server Configuration Display</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_url_correction" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_url_correction" id="rule-overview-leaf-idp124220480" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124220480" onclick="return openRuleDetailsDialog('idp124220480')">Disable URL Correction on Misspelled Entries</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_proxy_support" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_proxy_support" id="rule-overview-leaf-idp124222832" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124222832" onclick="return openRuleDetailsDialog('idp124222832')">Disable Proxy Support</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_cache_support" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_cache_support" id="rule-overview-leaf-idp124225184" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124225184" onclick="return openRuleDetailsDialog('idp124225184')">Disable Cache Support</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_cgi_support" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_cgi_support" id="rule-overview-leaf-idp124227536" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_core_modules" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124227536" onclick="return openRuleDetailsDialog('idp124227536')">Disable CGI Support</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_directory_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_securing_httpd"><td colspan="3" style="padding-left: 76px">Directory Restrictions<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_directory_restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_restrict_root_directory" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_restrict_root_directory" id="rule-overview-leaf-idp124229888" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124229888" onclick="return openRuleDetailsDialog('idp124229888')">Restrict Root Directory</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_restrict_web_directory" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_restrict_web_directory" id="rule-overview-leaf-idp124232256" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124232256" onclick="return openRuleDetailsDialog('idp124232256')">Restrict Web Directory</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_restrict_critical_directories" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_restrict_critical_directories" id="rule-overview-leaf-idp124234624" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124234624" onclick="return openRuleDetailsDialog('idp124234624')">Restrict Other Critical Directories</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_limit_available_methods" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_limit_available_methods" id="rule-overview-leaf-idp124236992" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124236992" onclick="return openRuleDetailsDialog('idp124236992')">Limit Available Methods</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_modules_improve_security" data-tt-parent-id="xccdf_org.ssgproject.content_group_securing_httpd"><td colspan="3" style="padding-left: 76px">Use Appropriate Modules to Improve httpd's Security<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_modules_improve_security");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_modules_improve_security"><td colspan="3" style="padding-left: 95px">Deploy mod_ssl<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_install_mod_ssl" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_install_mod_ssl" id="rule-overview-leaf-idp124239360" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124239360" onclick="return openRuleDetailsDialog('idp124239360')">Install mod_ssl</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_modules_improve_security"><td colspan="3" style="padding-left: 95px">Deploy mod_security<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_deploy_mod_security");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_httpd_install_mod_security" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_httpd_install_mod_security" id="rule-overview-leaf-idp124241712" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124241712" onclick="return openRuleDetailsDialog('idp124241712')">Install mod_security</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" data-tt-parent-id="xccdf_org.ssgproject.content_group_securing_httpd"><td colspan="3" style="padding-left: 76px">Use Denial-of-Service Protection Modules<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_php_securely" data-tt-parent-id="xccdf_org.ssgproject.content_group_securing_httpd"><td colspan="3" style="padding-left: 76px">Configure PHP Securely<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_configure_php_securely");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_securing_httpd"><td colspan="3" style="padding-left: 76px">Configure Operating System to Protect Web Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td colspan="3" style="padding-left: 95px">Restrict File and Directory Access<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd" id="rule-overview-leaf-idp124244080" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp124244080" onclick="return openRuleDetailsDialog('idp124244080')">Set Permissions on the /var/log/httpd/ Directory</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_etc_httpd_conf" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_etc_httpd_conf" id="rule-overview-leaf-idp124247728" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" data-references="{}"><td style="padding-left: 114px"><a href="#rule-detail-idp124247728" onclick="return openRuleDetailsDialog('idp124247728')">Set Permissions on the /etc/httpd/conf/ Directory</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files" id="rule-overview-leaf-idp124251376" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" data-references='{"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["CM-7"]}'><td style="padding-left: 114px"><a href="#rule-detail-idp124251376" onclick="return openRuleDetailsDialog('idp124251376')">Set Permissions on All Configuration Files Inside /etc/httpd/conf/</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_firewalld" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_firewalld" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td colspan="3" style="padding-left: 95px">Configure firewalld to Allow Access to the Web Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_configure_firewalld");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_chroot" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_httpd_chroot" data-tt-parent-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td colspan="3" style="padding-left: 95px">Run httpd in a chroot Jail if Practical<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_httpd_chroot");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_imap" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_imap" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">IMAP and POP3 Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_imap");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot" data-tt-parent-id="xccdf_org.ssgproject.content_group_imap"><td colspan="3" style="padding-left: 57px">Disable Dovecot<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_dovecot");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_dovecot_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_dovecot_disabled" id="rule-overview-leaf-idp124255056" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dovecot" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124255056" onclick="return openRuleDetailsDialog('idp124255056')">Disable Dovecot Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dovecot_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_dovecot_removed" id="rule-overview-leaf-idp124259984" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_dovecot" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.12"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124259984" onclick="return openRuleDetailsDialog('idp124259984')">Uninstall dovecot Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot" data-tt-parent-id="xccdf_org.ssgproject.content_group_imap"><td colspan="3" style="padding-left: 57px">Configure Dovecot if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configure_dovecot");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_dovecot"><td colspan="3" style="padding-left: 76px">Support Only the Necessary Protocols<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_dovecot"><td colspan="3" style="padding-left: 76px">Enable SSL Support<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dovecot_enabling_ssl");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dovecot_enable_ssl" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dovecot_enable_ssl" id="rule-overview-leaf-idp124264912" data-tt-parent-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124264912" onclick="return openRuleDetailsDialog('idp124264912')">Enable the SSL flag in /etc/dovecot.conf</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_cert" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_cert" id="rule-overview-leaf-idp124268544" data-tt-parent-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124268544" onclick="return openRuleDetailsDialog('idp124268544')">Configure Dovecot to Use the SSL Certificate file</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_key" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_key" id="rule-overview-leaf-idp124270912" data-tt-parent-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124270912" onclick="return openRuleDetailsDialog('idp124270912')">Configure Dovecot to Use the SSL Key file</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dovecot_disable_plaintext_auth" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dovecot_disable_plaintext_auth" id="rule-overview-leaf-idp124273280" data-tt-parent-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" data-references="{}"><td style="padding-left: 95px"><a href="#rule-detail-idp124273280" onclick="return openRuleDetailsDialog('idp124273280')">Disable Plaintext Authentication</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_dovecot"><td colspan="3" style="padding-left: 76px">Allow IMAP Clients to Access the Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_dovecot_allow_imap_access");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_routing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_routing" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Routing<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_routing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_quagga" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_quagga" data-tt-parent-id="xccdf_org.ssgproject.content_group_routing"><td colspan="3" style="padding-left: 57px">Disable Quagga if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_quagga");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_zebra_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_zebra_disabled" id="rule-overview-leaf-idp124276944" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_quagga" data-references='{"":["SRG-OS-000480-GPOS-00227","040730"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-32"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124276944" onclick="return openRuleDetailsDialog('idp124276944')">Disable Quagga Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_quagga_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_quagga_removed" id="rule-overview-leaf-idp124280592" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_quagga" data-references='{"":["SRG-OS-000480-GPOS-00227","TBD"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["SC-32"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124280592" onclick="return openRuleDetailsDialog('idp124280592')">Uninstall quagga Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smb" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_smb" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Samba(SMB) Microsoft Windows File Sharing Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_smb");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba" data-tt-parent-id="xccdf_org.ssgproject.content_group_smb"><td colspan="3" style="padding-left: 57px">Disable Samba if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_samba");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled" id="rule-overview-leaf-idp124285520" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_samba" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1436"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124285520" onclick="return openRuleDetailsDialog('idp124285520')">Disable Samba</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_samba_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_samba_removed" id="rule-overview-leaf-idp124290432" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_samba" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.13"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124290432" onclick="return openRuleDetailsDialog('idp124290432')">Uninstall Samba Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba" data-tt-parent-id="xccdf_org.ssgproject.content_group_smb"><td colspan="3" style="padding-left: 57px">Configure Samba if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configuring_samba");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_samba"><td colspan="3" style="padding-left: 76px">Restrict SMB File Sharing to Configured Networks<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_smb_restrict_file_sharing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_samba"><td colspan="3" style="padding-left: 76px">Restrict Printer Sharing<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_smb_disable_printing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smb_server_disable_root" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root" id="rule-overview-leaf-idp124295344" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_samba" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124295344" onclick="return openRuleDetailsDialog('idp124295344')">Disable Root Access to SMB Shares</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing" id="rule-overview-leaf-idp124297712" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_samba" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124297712" onclick="return openRuleDetailsDialog('idp124297712')">Require Client SMB Packet Signing, if using smbclient</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing" id="rule-overview-leaf-idp124302672" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_samba" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124302672" onclick="return openRuleDetailsDialog('idp124302672')">Require Client SMB Packet Signing, if using mount.cifs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_proxy" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_proxy" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Proxy Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_proxy");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_squid" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_squid" data-tt-parent-id="xccdf_org.ssgproject.content_group_proxy"><td colspan="3" style="padding-left: 57px">Disable Squid if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_squid");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_squid_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_squid_disabled" id="rule-overview-leaf-idp124307632" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_squid" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124307632" onclick="return openRuleDetailsDialog('idp124307632')">Disable Squid</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_squid_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_squid_removed" id="rule-overview-leaf-idp124312560" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_squid" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.14"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124312560" onclick="return openRuleDetailsDialog('idp124312560')">Uninstall squid Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SNMP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Disable SNMP Server if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_snmp_service");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_snmpd_disabled" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_snmpd_disabled" id="rule-overview-leaf-idp124317472" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124317472" onclick="return openRuleDetailsDialog('idp124317472')">Disable snmpd Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_net-snmp_removed" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_net-snmp_removed" id="rule-overview-leaf-idp124322400" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["3.15"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124322400" onclick="return openRuleDetailsDialog('idp124322400')">Uninstall net-snmp Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp_configure_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp_configure_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Configure SNMP Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp_configure_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" id="rule-overview-leaf-idp124327328" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp_configure_server" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idp124327328" onclick="return openRuleDetailsDialog('idp124327328')">Configure SNMP Service to Use Only SNMPv3 or Newer </a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_snmpd_not_default_password" id="rule-overview-leaf-idp124332256" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp_configure_server" data-references='{"":["SRG-OS-000480-GPOS-00227","040580"],"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["366"],"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf":["IA-5.1(ii)"],"https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors":["Test attestation on 20121214 by MAN"]}'><td style="padding-left: 76px"><a href="#rule-detail-idp124332256" onclick="return openRuleDetailsDialog('idp124332256')">Ensure Default SNMP Password Is Not Used</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_srg_support" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_srg_support" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px">Documentation to Support DISA OS SRG Mapping<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_srg_support");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_met_inherently_generic" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_met_inherently_generic" id="rule-overview-leaf-idp124335920" data-tt-parent-id="xccdf_org.ssgproject.content_group_srg_support" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["42","56","206","1084","66","85","86","185","223","171","172","1694","770","804","162","163","164","345","346","1096","1111","1291","386","156","186","1083","1082","1090","804","1127","1128","1129","1248","1265","1314","1362","1368","1310","1311","1328","1399","1400","1404","1405","1427","1499","1632","1693","1665","1674"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124335920" onclick="return openRuleDetailsDialog('idp124335920')">Product Meets this Requirement</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_met_inherently_auditing" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_met_inherently_auditing" id="rule-overview-leaf-idp124338944" data-tt-parent-id="xccdf_org.ssgproject.content_group_srg_support" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["130","157","131","132","133","134","135","159","174"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124338944" onclick="return openRuleDetailsDialog('idp124338944')">Product Meets this Requirement</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_met_inherently_nonselected" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_met_inherently_nonselected" id="rule-overview-leaf-idp124341968" data-tt-parent-id="xccdf_org.ssgproject.content_group_srg_support" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["34","35","99","154","226","802","872","1086","1087","1089","1091","1424","1426","1428","1209","1214","1237","1269","1338","1425","1670"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124341968" onclick="return openRuleDetailsDialog('idp124341968')">Product Meets this Requirement</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_unmet_nonfinding_nonselected_scope" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_unmet_nonfinding_nonselected_scope" id="rule-overview-leaf-idp124345008" data-tt-parent-id="xccdf_org.ssgproject.content_group_srg_support" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["21","25","28","29","30","165","221","354","553","779","780","781","1009","1094","1123","1124","1125","1132","1135","1140","1141","1142","1143","1145","1147","1148","1166","1339","1340","1341","1350","1356","1373","1374","1383","1391","1392","1395","1662"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124345008" onclick="return openRuleDetailsDialog('idp124345008')">Guidance Does Not Meet this Requirement Due to Impracticality or Scope</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_unmet_finding_nonselected" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_unmet_finding_nonselected" id="rule-overview-leaf-idp124348048" data-tt-parent-id="xccdf_org.ssgproject.content_group_srg_support" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["20","31","52","144","1158","1294","1295","1500"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124348048" onclick="return openRuleDetailsDialog('idp124348048')">Implementation of the Requirement is Not Supported</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_unmet_nonfinding_scope" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_unmet_nonfinding_scope" id="rule-overview-leaf-idp124351072" data-tt-parent-id="xccdf_org.ssgproject.content_group_srg_support" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["15","27","218","219","371","372","535","537","539","1682","370","37","24","1112","1126","1143","1149","1157","1159","1210","1211","1274","1372","1376","1377","1352","1401","1555","1556","1150"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124351072" onclick="return openRuleDetailsDialog('idp124351072')">Guidance Does Not Meet this Requirement Due to Impracticality or Scope</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_update_process" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_update_process" id="rule-overview-leaf-idp124354096" data-tt-parent-id="xccdf_org.ssgproject.content_group_srg_support" data-references='{"http://iase.disa.mil/stigs/cci/Pages/index.aspx":["1232"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124354096" onclick="return openRuleDetailsDialog('idp124354096')">A process for prompt installation of OS updates must exist.</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_c2s_support" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_c2s_support" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><td colspan="3" style="padding-left: 19px">Documentation to Support C2S/CIS  Mapping<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_c2s_support");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_c2s_procedural_requirement" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_c2s_procedural_requirement" id="rule-overview-leaf-idp124357104" data-tt-parent-id="xccdf_org.ssgproject.content_group_c2s_support" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["unknown"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124357104" onclick="return openRuleDetailsDialog('idp124357104')">Procedural Requirement</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_c2s_not_OS_applicable" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_c2s_not_OS_applicable" id="rule-overview-leaf-idp124360144" data-tt-parent-id="xccdf_org.ssgproject.content_group_c2s_support" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["unknown"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124360144" onclick="return openRuleDetailsDialog('idp124360144')">Not Applicable to Operating System</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_c2s_met_inherently" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_c2s_met_inherently" id="rule-overview-leaf-idp124361872" data-tt-parent-id="xccdf_org.ssgproject.content_group_c2s_support" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["unknown"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124361872" onclick="return openRuleDetailsDialog('idp124361872')">Product Meets this Requirement</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_apply_to_everything" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_apply_to_everything" id="rule-overview-leaf-idp124364880" data-tt-parent-id="xccdf_org.ssgproject.content_group_c2s_support" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["unknown"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124364880" onclick="return openRuleDetailsDialog('idp124364880')">Requirement Applies to All Rules</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_cis_xinetd" class="rule-overview-leaf rule-overview-leaf-notselected rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_cis_xinetd" id="rule-overview-leaf-idp124366608" data-tt-parent-id="xccdf_org.ssgproject.content_group_c2s_support" data-references='{"https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf":["2.1.12","2.1.13","2.1.14","2.1.15","2.1.16","2.1.17","2.1.18"]}'><td style="padding-left: 38px"><a href="#rule-detail-idp124366608" onclick="return openRuleDetailsDialog('idp124366608')">Rule Compliance through Removal of xinetd</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_tmp" id="rule-detail-idp122570736"><div class="keywords sr-only">Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-27173-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /tmp Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_tmp</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27173-4">CCE-27173-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.1</a>, <a href="">021270</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120928 by MM</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>/tmp</code> directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The <code>/tmp</code> partition is used as temporary storage by many programs.
Placing <code>/tmp</code> in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-detail-idp122574464"><div class="keywords sr-only">Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-26404-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26404-4">CCE-26404-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">021250</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120928 by MM</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>/var</code> directory is used by daemons and other system
services to store frequently-changing data. Ensure that <code>/var</code> has its own partition
or logical volume at installation time, or migrate it using LVM.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Ensuring that <code>/var</code> is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the <code>/var</code> directory to contain
world-writable directories installed by other software packages.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-detail-idp122578096"><div class="keywords sr-only">Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-26967-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26967-0">CCE-26967-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120928 by MM</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
System logs are stored in the <code>/var/log</code> directory.
Ensure that it has its own partition or logical
volume at installation time, or migrate it using LVM.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Placing <code>/var/log</code> in its own partition
enables better separation between log files
and other files in <code>/var/</code>.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-detail-idp122583008"><div class="keywords sr-only">Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-26971-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log/audit Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26971-2">CCE-26971-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.8</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">021260</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120928 by MM</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Audit logs are stored in the <code>/var/log/audit</code> directory.  Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Placing <code>/var/log/audit</code> in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-detail-idp122586672"><div class="keywords sr-only">Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure /home Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_home</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1208</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.9</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">021240</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120928 by MM</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
If user home directories will be stored locally, create a separate partition
for <code>/home</code> at installation time (or migrate it later using LVM). If
<code>/home</code> will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Ensuring that <code>/home</code> is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_encrypt_partitions" id="rule-detail-idp122590304"><div class="keywords sr-only">Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions mediumCCE-27128-8 </div><div class="panel-heading"><h3 class="panel-title">Encrypt Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_encrypt_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27128-8">CCE-27128-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1199</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2476</a>, <a href="">SRG-OS-000405-GPOS-00184</a>, <a href="">SRG-OS-000185-GPOS-00079</a>, <a href="">020170</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Red Hat Enterprise Linux 7 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to 
encrypt a partition is during installation time.
<br><br>
For manual installations, select the <code>Encrypt</code> checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
<br><br>
For automated/unattended installations, it is possible to use Kickstart by adding
the <code>--encrypted</code> and <code>--passphrase=</code> options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
<pre>part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=<i>PASSPHRASE</i></pre>
Any <i>PASSPHRASE</i> is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly.
Omitting the <code>--passphrase=</code> option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
<br><br>
Detailed information on encrypting partitions using LUKS can be found on
the Red Hat Documentation web site:<br>
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise.  Encrypting this data mitigates
the risk of its loss if the system is lost.
</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-detail-idp122594576"><div class="keywords sr-only">Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-26957-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure Red Hat GPG Key Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26957-1">CCE-26957-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1749</a>, <a href="">366</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20150407 by sdw</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them), the Red Hat GPG key must properly be installed.  
To install the Red Hat GPG key, run:
<pre>$ sudo rhn_register</pre>
If the system is not connected to the Internet or an RHN Satellite,
then install the Red Hat GPG key from trusted media such as
the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted
in <code>/media/cdrom</code>, use the following command as the root user to import
it into the keyring:
<pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Changes to software components can have significant effects on the
overall security of the operating system. This requirement ensures
the software has not been tampered with and that it has been provided 
by a trusted vendor. The Red Hat GPG key is necessary to 
cryptographically verify packages are from Red Hat.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idp122598240"><div class="keywords sr-only">Ensure gpgcheck Enabled In Main Yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-26989-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main Yum Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26989-4">CCE-26989-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1749</a>, <a href="">SRG-OS-000366-GPOS-00153</a>, <a href="">020150</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20150407 by sdw</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>gpgcheck</code> option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in <code>/etc/yum.conf</code> in
the <code>[main]</code> section:
<pre>gpgcheck=1</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Changes to any software components can have significant effects on the overall security 
of the operating system. This requirement ensures the software has not been tampered with
and that it has been provided by a trusted vendor.
<br>
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization.
<br>
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from
a vendor. This ensures the software has not been tampered with and
that it has been provided by a trusted vendor. Self-signed
certificates are disallowed by this requirement. Certificates
used to verify the software must be from an approved Certificate
Authority (CA).
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-detail-idp122601904"><div class="keywords sr-only">Ensure gpgcheck Enabled For All Yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-26876-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled For All Yum Package Repositories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26876-3">CCE-26876-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1749</a>, <a href="">366</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20150407 by sdw</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure signature checking is not disabled for
any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form:
<pre>gpgcheck=0</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from
a vendor. This ensures the software has not been tampered with and
that it has been provided by a trusted vendor. Self-signed 
certificates are disallowed by this requirement. Certificates
used to verify the software must be from an approved Certificate
Authority (CA).
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-detail-idp122605568"><div class="keywords sr-only">Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date highCCE-26895-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Software Patches Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_security_patches_up_to_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26895-3">CCE-26895-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-1(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120928 by MM</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
<pre>$ sudo yum update</pre>
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using <code>rpm</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities.
</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">None of the check-content-ref elements was resolvable.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idp122609600"><div class="keywords sr-only">Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-27096-7 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27096-7">CCE-27096-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.3.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Install the AIDE package with the command:
<pre>$ sudo yum install aide</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The AIDE package must be installed if it is to be available for integrity checking.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code># Include source function library.
. /usr/share/scap-security-guide/remediation_functions

package_command install aide
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_disable_prelink" id="rule-detail-idp122613248"><div class="keywords sr-only">Disable Prelinkingxccdf_org.ssgproject.content_rule_disable_prelink lowCCE-27078-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Prelinking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_prelink</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27078-5">CCE-27078-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The prelinking feature changes binaries in an attempt to decrease their startup
time.  In order to disable it, change or add the following line inside the file
<code>/etc/sysconfig/prelink</code>:
<pre>PRELINKING=no</pre>
Next, run the following command to return binaries to a normal, non-prelinked state:
<pre>$ sudo /usr/sbin/prelink -ua</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The prelinking feature can interfere with the operation
of AIDE, because it changes binaries.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
  echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi

#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="rule-detail-idp122616880"><div class="keywords sr-only">Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-27220-3 </div><div class="panel-heading"><h3 class="panel-title">Build and Test AIDE Database</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_build_database</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27220-3">CCE-27220-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Run the following command to generate a new database:
<pre>$ sudo /usr/sbin/aide --init</pre>
By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>.
Storing the database, the configuration file <code>/etc/aide.conf</code>, and the binary
<code>/usr/sbin/aide</code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
<pre>$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre>
To initiate a manual check, run the following command:
<pre>$ sudo /usr/sbin/aide --check</pre>
If this check produces any unexpected output, investigate.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>/usr/sbin/aide --init
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="rule-detail-idp122620512"><div class="keywords sr-only">Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-26952-2 </div><div class="panel-heading"><h3 class="panel-title">Configure Periodic Execution of AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:28</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26952-2">CCE-26952-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">374</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">416</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1069</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1263</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1297</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1589</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>:
<pre>05 4 * * * root /usr/sbin/aide --check</pre>
AIDE can be executed periodically through other means; this is merely one example.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_permissions" id="rule-detail-idp122624176"><div class="keywords sr-only">Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-27209-6 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct File Permissions with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:44</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27209-6">CCE-27209-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1493</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1494</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1495</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.4</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.8</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.9</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.3</a>, <a href="">010010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Discretionary access control is weakened if a user or group has access
permissions to system files and directories greater than the default.

The RPM package management system can check file access permissions 
of installed software packages, including many that are important 
to system security. 

Verify that the file permissions, ownership, and gruop membership of system files
and commands match vendor values. Check the file permissions, ownership, and group
membership with the following command:
<pre>$ sudo rpm -Va | grep '^.M'</pre>

Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
<pre>$ rpm -qf <i>FILENAME</i></pre>

Next, run the following command to reset its permissions to 
the correct values:
<pre>$ sudo rpm --setperms <i>PACKAGENAME</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note: Due to a bug in the <code>gdm</code> package, the
RPM verify command may continue to fail even after file permissions have been
correctly set on <code>/var/log/gdm</code>. This is being tracked in Red Hat
Bugzilla #1275532.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Declare array to hold list of RPM packages we need to correct permissions for
declare -a SETPERMS_RPM_LIST

# Create a list of files on the system having permissions different from what
# is expected by the RPM database
FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | grep '^.M'))

# For each file path from that list:
# * Determine the RPM package the file path is shipped by,
# * Include it into SETPERMS_RPM_LIST array

for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
        RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
        SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE")
done

# Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any)
SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | sort -n | uniq) )

# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}"
do
        rpm --setperms "${RPM_PACKAGE}"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-detail-idp122627824"><div class="keywords sr-only">Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes highCCE-27157-7 </div><div class="panel-heading"><h3 class="panel-title">Verify File Hashes with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_hashes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27157-7">CCE-27157-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1496</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.6</a>, <a href="">010020</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Without cryptographic integrity protections, system
executables and files can be altered by unauthorized users without
detection.

The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security. 

To verify that the cryptographic hash of system files and commands match vendor
values, run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
<pre>$ rpm -Va | grep '^..5'</pre>

A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change.  If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.

Run the following command to determine which package owns the file:
<pre>$ rpm -qf <i>FILENAME</i></pre>

The package can be reinstalled from a yum repository using the command:
<pre>$ sudo yum reinstall <i>PACKAGENAME</i></pre>

Alternatively, the package can be reinstalled from trusted media using the command:
<pre>$ sudo rpm -Uvh <i>PACKAGENAME</i></pre> 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_install_hids" id="rule-detail-idp122631456"><div class="keywords sr-only">Install Intrusion Detection Softwarexccdf_org.ssgproject.content_rule_install_hids highCCE-26818-5 </div><div class="panel-heading"><h3 class="panel-title">Install Intrusion Detection Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_hids</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26818-5">CCE-26818-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1263</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The base Red Hat platform already includes a sophisticated auditing system that
can detect intruder activity, as well as SELinux, which provides host-based
intrusion prevention capabilities by confining privileged programs and user
sessions which may become compromised.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Host-based intrusion detection tools provide a system-level defense when an
intruder gains access to a system or network.  
</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note in DoD environments, supplemental intrusion
detection tools, such as the McAfee Host-based Security System, are available
to integrate with existing infrastructure. When these supplemental tools
interfere with proper functioning of SELinux, SELinux takes precedence.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_install_antivirus" id="rule-detail-idp122635728"><div class="keywords sr-only">Install Virus Scanning Softwarexccdf_org.ssgproject.content_rule_install_antivirus lowCCE-27140-3 </div><div class="panel-heading"><h3 class="panel-title">Install Virus Scanning Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_antivirus</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27140-3">CCE-27140-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1668</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Install virus scanning software, which uses signatures to search for the
presence of viruses on the filesystem.
Ensure virus definition files are no older than 7 days, or their last release.

Configure the virus scanning software to perform scans dynamically on all
accessed files.  If this is not possible, configure the
system to scan all altered files on the system on a daily
basis. If the system processes inbound SMTP mail, configure the virus scanner
to scan all received mail.

</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_install_mcafee_hbss" id="rule-detail-idp122639360"><div class="keywords sr-only">Install McAfee Host-Based Intrusion Detection Software (HBSS)xccdf_org.ssgproject.content_rule_install_mcafee_hbss mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Install McAfee Host-Based Intrusion Detection Software (HBSS)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_mcafee_hbss</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(1).1</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1263</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.4</a>, <a href="">STG-OS-000480-GPOS-00227</a>, <a href="">030790</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Install the McAfee Host-based Security System (HBSS) application.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Without a host-based intrusion detection tool, there is no system-level defense
when an intruder gains access to a system or network. Additionally, a host-based
intrusion prevention tool can provide methods to immediately lock out detected
intrusion attempts.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" id="rule-detail-idp122644272"><div class="keywords sr-only">Install McAfee Virus Scanning Softwarexccdf_org.ssgproject.content_rule_install_mcafee_antivirus highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Install McAfee Virus Scanning Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_mcafee_antivirus</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3(1)(ii)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1668</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">030810</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Install McAfee VirusScan Enterprise for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_nails_enabled" id="rule-detail-idp122649200"><div class="keywords sr-only">Enable nails Servicexccdf_org.ssgproject.content_rule_service_nails_enabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable nails Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_nails_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3(1)(ii)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1668</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nails</code> service is used to run McAfee VirusScan Enterprise
for Linux and McAfee Host-based Security System (HBSS) services.

    The <code>nails</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable nails.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" id="rule-detail-idp122654112"><div class="keywords sr-only">Virus Scanning Software Definitions Are Updatedxccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Virus Scanning Software Definitions Are Updated</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-3(1)(ii)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1239</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1668</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">030820</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Ensure virus definition files are no older than 7 days or their last release.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" id="rule-detail-idp122662720"><div class="keywords sr-only">Disable GDM Automatic Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable GDM Automatic Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00229</a>, <a href="">010430</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the <code>AutomaticLoginEnable</code> to <code>false</code> in the
<code>[daemon]</code> section in <code>/etc/gdm/custom.conf</code>. For example:
<pre>[daemon]
AutomaticLoginEnable=false</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Failure to restrict system access to authenticated users negatively impacts operating
system security.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" id="rule-detail-idp122667680"><div class="keywords sr-only">Disable GDM Guest Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable GDM Guest Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00229</a>, <a href="">010431</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the <code>TimedLoginEnable</code> to <code>false</code> in
the <code>[daemon]</code> section in <code>/etc/gdm/custom.conf</code>. For example:
<pre>[daemon]
TimedLoginEnable=false</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Failure to restrict system access to authenticated users negatively impacts operating
system security.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" id="rule-detail-idp122672640"><div class="keywords sr-only">Disable the GNOME3 Login User Listxccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable the GNOME3 Login User List</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-23</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled by setting
<code>disable-user-list</code> to <code>true</code>.
<br><br>
To disable, add or edit <code>disable-user-list</code> to 
<code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example:
<pre>[org/gnome/login-screen]
disable-user-list=true</pre>
Once the setting has been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/login-screen/disable-user-list</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown" id="rule-detail-idp122677600"><div class="keywords sr-only">Disable the GNOME3 Login Restart and Shutdown Buttonsxccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable the GNOME3 Login Restart and Shutdown Buttons</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, users logging
directly into the system are greeted with a login screen that allows
any user, known or unknown, the ability the ability to shutdown or restart
the system. This functionality should be disabled by setting 
<code>disable-restart-buttons</code> to <code>true</code>.
<br><br>
To disable, add or edit <code>disable-restart-buttons</code> to
<code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example:
<pre>[org/gnome/login-screen]
disable-restart-buttons=true</pre>
Once the setting has been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/login-screen/disable-restart-buttons</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons
are pressed at the login screen, this can create the risk of short-term loss of availability of systems
due to reboot.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" id="rule-detail-idp122682560"><div class="keywords sr-only">Enable the GNOME3 Login Smartcard Authenticationxccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable the GNOME3 Login Smartcard Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">765</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">766</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">767</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">768</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">771</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">772</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">884</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, smart card authentication
can be enabled on the login screen by setting <code>enable-smartcard-authentication</code>
to <code>true</code>.
<br><br>
To enable, add or edit <code>enable-smartcard-authentication</code> to
<code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example:
<pre>[org/gnome/login-screen]
enable-smartcard-authentication=true</pre>
Once the setting has been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/login-screen/enable-smartcard-authentication</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries" id="rule-detail-idp122687520"><div class="keywords sr-only">Set the GNOME3 Login Number of Failuresxccdf_org.ssgproject.content_rule_dconf_gnome_login_retries mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Set the GNOME3 Login Number of Failures</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, the GNOME3 login 
screen and be configured to restart the authentication process after 
a configured number of attempts. This can be configured by setting
<code>allowed-failures</code> to <code>3</code> or less.
<br><br>
To enable, add or edit <code>allowed-failures</code> to
<code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example:
<pre>[org/gnome/login-screen]
allowed-failures=3</pre>
Once the setting has been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/login-screen/allowed-failures</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-unknown rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" id="rule-detail-idp122692464"><div class="keywords sr-only">Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Set GNOME3 Screensaver Inactivity Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay</td></tr><tr><td>Result</td><td class="rule-result rule-result-unknown"><div><abbr title="The testing tool encountered some problem and the result is unknown. For example, a result of 'unknown' might be given if the testing tool was unable to interpret the output of the checking engine (the output has no meaning to the testing tool).">unknown</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="">SRG-OS-000029-GPOS-00010</a>, <a href="">010070</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code>
setting must be set under an appropriate configuration file(s) in the <code>/etc/dconf/db/local.d</code> directory
and locked in <code>/etc/dconf/db/local.d/locks</code> directory to prevent user modification.
<br>
For example, to configure the system for a 15 minute delay, add the following to
<code>/etc/dconf/db/local.d/00-security-settings</code>:
<pre>[org/gnome/desktop/session]
idle-delay=900</pre>
Once the setting has been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/session/idle-delay</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock.
</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Value bindings not found.</message></pre></div></div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
inactivity_timeout_value="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_inactivity_timeout_value"></abbr>"
# Define constants to be reused below
ORG_GNOME_DESKTOP_SESSION="org/gnome/desktop/session"
SSG_DCONF_IDLE_DELAY_FILE="/etc/dconf/db/local.d/10-scap-security-guide"
SESSION_LOCKS_FILE="/etc/dconf/db/local.d/locks/session"
IDLE_DELAY_DEFINED="FALSE"

# First update '[org/gnome/desktop/session] idle-delay' settings in
# /etc/dconf/db/local.d/* if already defined
for FILE in /etc/dconf/db/local.d/*
do
        if grep -q -d skip "$ORG_GNOME_DESKTOP_SESSION" "$FILE"
        then
                if grep 'idle-delay' "$FILE"
                then
                        sed -i "s/idle-delay=.*/idle-delay=uint32 ${inactivity_timeout_value}/g" "$FILE"
                        IDLE_DELAY_DEFINED="TRUE"
                fi
        fi
done

# Then define '[org/gnome/desktop/session] idle-delay' setting
# if still not defined yet
if [ "$IDLE_DELAY_DEFINED" != "TRUE" ]
then
        echo "" >> $SSG_DCONF_IDLE_DELAY_FILE
        echo "[org/gnome/desktop/session]" >>  $SSG_DCONF_IDLE_DELAY_FILE
        echo "idle-delay=uint32 ${inactivity_timeout_value}" >> $SSG_DCONF_IDLE_DELAY_FILE
fi

# Verify if 'idle-delay' modification is locked. If not, lock it
if ! grep -q "^/${ORG_GNOME_DESKTOP_SESSION}/idle-delay$" /etc/dconf/db/local.d/locks/*
then
        # Check if "$SESSION_LOCK_FILE" exists. If not, create it.
        if [ ! -f "$SESSION_LOCKS_FILE" ]
        then
                touch "$SESSION_LOCKS_FILE"
        fi
        echo "/${ORG_GNOME_DESKTOP_SESSION}/idle-delay" >> "$SESSION_LOCKS_FILE"
fi

</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" id="rule-detail-idp122697600"><div class="keywords sr-only">Enable GNOME3 Screensaver Idle Activationxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Screensaver Idle Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</a>, <a href="">SRG-OS-000029-GPOS-00010</a>, <a href="">010073</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set <code>idle-activation-enabled</code> to <code>true</code> in 
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/desktop/screensaver]
idle_activation_enabled=true</pre>
Once the setting has been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.

Enabling idle activation of the screensaver ensures the screensaver will
be activated after the idle delay.  Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" id="rule-detail-idp122701296"><div class="keywords sr-only">Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Screensaver Lock After Idle Period</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">56</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="">SRG-OS-000028-GPOS-00009</a>, <a href="">OS-SRG-000030-GPOS-00011</a>, <a href="">010060</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set <code>lock-enabled</code> to <code>true</code> and <code>lock-delay</code> to <code>0</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/desktop/screensaver]
lock-enabled=true
lock-delay=0
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/screensaver/lock-enabled
/org/gnome/desktop/screensaver/lock-delay</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" id="rule-detail-idp122704960"><div class="keywords sr-only">Implement Blank Screensaverxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Implement Blank Screensaver</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">60</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set <code>picture-uri</code> to <code>''</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/desktop/screensaver]
picture-uri=''
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/screensaver/picture-uri</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info" id="rule-detail-idp122709920"><div class="keywords sr-only">Disable Full User Name on Splash Shieldxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Full User Name on Splash Shield</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default when the screen is locked, the splash shield will show the user's
full name. This should be disabled to prevent casual observers from seeing
who has access to the system. This can be disabled by adding or setting
<code>show-full-name-in-top-bar</code> to <code>false</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/desktop/screensaver]
show-full-name-in-top-bar=false
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/screensaver/show-full-name-in-top-bar</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Setting the splash screen to not reveal the logged in user's name
conceals who has access to the system from passersby.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot" id="rule-detail-idp122714880"><div class="keywords sr-only">Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot highCCE-RHEL:7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL:7-CCE-TBD">CCE-RHEL:7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, <code>GNOME</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
key sequence is pressed.
<br>
To configure the system to ignore the <code>Ctrl-Alt-Del</code> key sequence from the
Graphical User Interface (GUI) instead of rebooting the system, add or set 
<code>logout</code> to <code>''</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/settings-daemon/plugins/media-keys]
logout=''
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/settings-daemon/plugins/media-keys/logout</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin" id="rule-detail-idp122719840"><div class="keywords sr-only">Disable User Administration in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable User Administration in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, <code>GNOME</code> will allow all users to have some administratrion
capability. This should be disabled so that non-administrative users are not making
configuration changes. To configure the system to disable user administration
capability in the Graphical User Interface (GUI), add or set
<code>user-administration-disabled</code> to <code>true</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/desktop/lockdown]
user-administration-disabled=true
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/lockdown/user-administration-disabled</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Allowing all users to have some administratrive capabilities to the system through
the Graphical User Interface (GUI) when they would not have them otherwise could allow
unintended configuration changes as well as a nefarious user the capability to make system
changes such as adding new accounts, etc.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_power_settings" id="rule-detail-idp122724800"><div class="keywords sr-only">Disable Power Settings in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_power_settings mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Power Settings in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_power_settings</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, <code>GNOME</code> enables a power profile designed for mobile devices
with battery usage. While useful for mobile devices, this setting should be disabled
for all other systems. To configure the system to disable the power setting, add or set
<code>active</code> to <code>false</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/settings-daemon/plugins/power]
active=false
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/settings-daemon/plugins/power</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Power settings should not be enabled on systems that are not mobile devices.
Enabling power settings on non-mobile devices could have unintended processing
consequences on standard systems.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation" id="rule-detail-idp122729760"><div class="keywords sr-only">Disable Geolocation in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Geolocation in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>GNOME</code> allows the clock and applications to track and access location 
information. This setting should be disabled as applications should not track
system location. To configure the system to disable location tracking, add or set
<code>enabled</code> to <code>false</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/system/location]
enabled=false
</pre>
To configure the clock to disable location tracking, add or set
<code>geolocation</code> to <code>false</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/clocks]
geolocation=false
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/system/location/enabled
/org/gnome/clocks/geolocation</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Power settings should not be enabled on systems that are not mobile devices.
Enabling power settings on non-mobile devices could have unintended processing
consequences on standard systems.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create" id="rule-detail-idp122734720"><div class="keywords sr-only">Disable WIFI Network Connection Creation in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable WIFI Network Connection Creation in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>GNOME</code> allows users to create ad-hoc wireless connections through the
<code>NetworkManager</code> applet. Wireless connections should be disabled by
adding or setting <code>disable-wifi-create</code> to <code>true</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/nm-applet]
disable-wifi-create=true
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/nm-applet/disable-wifi-create</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Wireless network connections should not be allowed to be configured by general
users on a given system as it could open the system to backdoor attacks.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification" id="rule-detail-idp122739680"><div class="keywords sr-only">Disable WIFI Network Notification in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable WIFI Network Notification in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, <code>GNOME</code> disables WIFI notification. This should be permanently set
so that users do not connect to a wireless network when the system finds one.
While useful for mobile devices, this setting should be disabled for all other systems.
To configure the system to disable the WIFI notication, add or set
<code>suppress-wireless-networks-available</code> to <code>true</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/nm-applet]
suppress-wireless-networks-available=true
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/nm-applet/suppress-wireless-networks-available</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Wireless network connections should not be allowed to be configured by general
users on a given system as it could open the system to backdoor attacks.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt" id="rule-detail-idp122744640"><div class="keywords sr-only">Require Credential Prompting for Remote Access in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Require Credential Prompting for Remote Access in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, <code>GNOME</code> does not require credentials when using <code>Vino</code> for
remote access. To configure the system to require remote credentials, add or set
<code>authentication-methods</code> to <code>['vnc']</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/Vino]
authentication-methods=['vnc']
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/Vino/authentication-methods</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Username and password prompting is required for remote access. Otherwise, non-authorized
and nefarious users can access the system freely.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption" id="rule-detail-idp122749648"><div class="keywords sr-only">Require Encryption for Remote Access in GNOME3xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Require Encryption for Remote Access in GNOME3</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-2(1)(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, <code>GNOME</code> requires encryption when using <code>Vino</code> for remote access.
To prevent remote access encryption from being disabled, add or set
<code>require-encryption</code> to <code>true</code> in
<code>/etc/dconf/db/local.d/00-security-settings</code>. For example:
<pre>[org/gnome/Vino]
require-encryption=true
</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/Vino/require-encryption</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Open X displays allow an attacker to capture keystrokes and to execute commands
remotely.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount" id="rule-detail-idp122754608"><div class="keywords sr-only">Disable GNOME3 Automountingxccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable GNOME3 Automounting</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3, add or set
<code>automount</code> to <code>false</code>, <code>automount-open</code> to <code>false</code>, and
<code>autorun-never</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</code>.
For example:
<pre>[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/auto-open
/org/gnome/desktop/media-handling/autorun-never</pre>
After the settings have been set, run <code>dconf update</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers" id="rule-detail-idp122759568"><div class="keywords sr-only">Disable All GNOME3 Thumbnailersxccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable All GNOME3 Thumbnailers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, add or set <code>disable-all</code>
to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</code>.
For example:
<pre>[org/gnome/desktop/thumbnailers]
disable-all=true</pre>
Once the settings have been added, add a lock to
<code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code> to prevent user modification.
For example:
<pre>/org/gnome/desktop/thumbnailers/disable-all</pre>
After the settings have been set, run <code>dconf update</code>.
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious
file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem
(via a web upload for example) and assuming a user browses the same location using Nautilus, the
malicious file would exploit the thumbnailer with the potential for malicious code execution. It
is best to disable these thumbnailer applications unless they are explicitly required.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_enable_dconf_user_profile" id="rule-detail-idp122657776"><div class="keywords sr-only">Configure GNOME3 DConf User Profilexccdf_org.ssgproject.content_rule_enable_dconf_user_profile highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure GNOME3 DConf User Profile</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_dconf_user_profile</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, DConf provides a standard user profile. This profile contains a list
of DConf configuration databases. The user profile and database always take the
highest priority. As such the DConf User profile should always exist and be
configured correctly. 
<br><br>
To make sure that the user profile is configured correctly, the <code>/etc/dconf/profile/user</code> should be set as follows:
<pre>user-db:user
system-db:local
system-db:site
system-db:distro
</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Failure to have a functional DConf profile prevents GNOME3 configuration settings
from being enforced for all users and allows various security risks.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" id="rule-detail-idp122764528"><div class="keywords sr-only">Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to Non-Root Local Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.11</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option prevents files from being
interpreted as character or block devices. 
Legitimate character and block devices should exist only in
the <code>/dev</code> directory on the root partition or within chroot
jails built for system services.

        Add the <code>nodev</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        any non-root local partitions.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>nodev</code> mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the <code>/dev</code> directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set <code>nodev</code> on these filesystems.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions" id="rule-detail-idp122768224"><div class="keywords sr-only">Add nodev Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to Removable Media Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the <code>/dev</code> directory on the root partition or within chroot
jails built for system services.

        Add the <code>nodev</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        any removable media partitions.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set <code>nodev</code> on partitions which contain their root
filesystems.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" id="rule-detail-idp122772736"><div class="keywords sr-only">Add noexec Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to Removable Media Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">87</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.12</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option prevents the direct
execution of binaries on the mounted filesystem. 
Preventing the direct execution of binaries from removable media (such as a USB
key) provides a defense against malicious software that may be present on such
untrusted media.

        Add the <code>noexec</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        any removable media partitions.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" id="rule-detail-idp122778544"><div class="keywords sr-only">Add nosuid Option to Removable Media Partitionsxccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to Removable Media Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.13</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.

        Add the <code>nosuid</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        any removable media partitions.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" id="rule-detail-idp122783056"><div class="keywords sr-only">Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>nodev</code> mount option can be used to prevent device files from
being created in <code>/tmp</code>.
Legitimate character and block devices should not exist
within temporary directories like <code>/tmp</code>. 

        Add the <code>nodev</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        <code>/tmp</code>.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory
located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-detail-idp122786704"><div class="keywords sr-only">Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option can be used to prevent binaries
from being executed out of <code>/tmp</code>.

        Add the <code>noexec</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        <code>/tmp</code>.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from world-writable directories
such as <code>/tmp</code> should never be necessary in normal operation and
can expose the system to potential compromise.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-detail-idp122790352"><div class="keywords sr-only">Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent
execution of setuid programs in <code>/tmp</code>. The SUID and SGID permissions
should not be required in these world-writable directories.

        Add the <code>nosuid</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        <code>/tmp</code>.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-detail-idp122794000"><div class="keywords sr-only">Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.14</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent creation
of device files in <code>/dev/shm</code>.
Legitimate character and block devices should not exist
within temporary directories like <code>/dev/shm</code>. 

        Add the <code>nodev</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        <code>/dev/shm</code>.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory
located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" id="rule-detail-idp122797664"><div class="keywords sr-only">Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.16</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option can be used to prevent binaries
from being executed out of <code>/dev/shm</code>.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as <code>/dev/shm</code>.

        Add the <code>noexec</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        <code>/dev/shm</code>.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from world-writable directories
such as <code>/dev/shm</code> can expose the system to potential compromise.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-detail-idp122801360"><div class="keywords sr-only">Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.14</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution
of setuid programs in <code>/dev/shm</code>.  The SUID and SGID permissions should not
be required in these world-writable directories.

        Add the <code>nosuid</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        <code>/dev/shm</code>.
        
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind" id="rule-detail-idp122805024"><div class="keywords sr-only">Bind Mount /var/tmp To /tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Bind Mount /var/tmp To /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.6</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>/var/tmp</code> directory is a world-writable directory.  
Bind-mount it to <code>/tmp</code> in order to consolidate temporary storage into
one location protected by the same techniques as <code>/tmp</code>.  To do so, edit
<code>/etc/fstab</code> and add the following line:
<pre>/tmp     /var/tmp     none     rw,nodev,noexec,nosuid,bind     0 0</pre>
See the <code>mount(8)</code> man page for further explanation of bind mounting.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location <code>/var/tmp</code> should be bind mounted to
<code>/tmp</code> and thus share the same protections.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" id="rule-detail-idp122808688"><div class="keywords sr-only">Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-27277-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Modprobe Loading of USB Storage Driver</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27277-3">CCE-27277-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1958</a>, <a href="">SRG-OS-000114-GPOS-00059</a>, <a href="">SRG-OS-000378-GPOS-0016</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">020160</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver. 

To configure the system to prevent the <code>usb-storage</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install usb-storage /bin/true</pre>
This will prevent the <code>modprobe</code> program from loading the <code>usb-storage</code>
module, but will not prevent an administrator (or another program) from using the
<code>insmod</code> program to load the module manually.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>USB storage devices such as thumb drives can be used to introduce
malicious software.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>echo "install usb-storage /bin/true" > /etc/modprobe.d/usb-storage.conf
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_bootloader_nousb_argument" id="rule-detail-idp122812352"><div class="keywords sr-only">Disable Kernel Support for USB via Bootloader Configurationxccdf_org.ssgproject.content_rule_bootloader_nousb_argument lowCCE-26548-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Support for USB via Bootloader Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bootloader_nousb_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26548-8">CCE-26548-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
All USB support can be disabled by adding the <code>nousb</code>
argument to the kernel's boot loader configuration. To do so, 
append "nousb" to the kernel line in <code>/etc/default/grub</code> as shown:
<pre>kernel /vmlinuz-<i>VERSION</i> ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</pre>
<i><b>WARNING:</b> Disabling all kernel support for USB will cause problems for
systems with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.</i></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Correct the form of default kernel command line in /etc/default/grub
if ! grep -q ^GRUB_CMDLINE_LINUX=\".*nousb.*\" /etc/default/grub;
then
  # Edit configuration setting
  # Append 'nousb' argument to /etc/default/grub (if not present yet)
  sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 nousb\"/" /etc/default/grub
  # Edit runtime setting
  # Correct the form of kernel command line for each installed kernel in the bootloader
  /sbin/grubby --update-kernel=ALL --args="nousb"
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" id="rule-detail-idp122816016"><div class="keywords sr-only">Disable Booting from USB Devices in Boot Firmwarexccdf_org.ssgproject.content_rule_bios_disable_usb_boot lowCCE-26960-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Booting from USB Devices in Boot Firmware</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bios_disable_usb_boot</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26960-5">CCE-26960-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the system boot firmware (historically called BIOS on PC
systems) to disallow booting from USB drives. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_bios_assign_password" id="rule-detail-idp122818960"><div class="keywords sr-only">Assign Password to Prevent Changes to Boot Firmware Configurationxccdf_org.ssgproject.content_rule_bios_assign_password lowCCE-27194-0 </div><div class="panel-heading"><h3 class="panel-title">Assign Password to Prevent Changes to Boot Firmware Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bios_assign_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27194-0">CCE-27194-0</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Assign a password to the system boot firmware (historically called BIOS on PC 
systems) to require a password for any configuration changes.  
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Assigning a password to the system boot firmware prevents anyone
with physical access from configuring the system to boot
from local media and circumvent the operating system's access controls.
For systems in physically secure locations, such as
a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed
against the risk of administrative personnel being unable to conduct recovery operations in
a timely fashion.
</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_autofs_disabled" id="rule-detail-idp122821952"><div class="keywords sr-only">Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-27498-5 </div><div class="panel-heading"><h3 class="panel-title">Disable the Automounter</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_autofs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27498-5">CCE-27498-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-19(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1958</a>, <a href="">SRG-OS-000114-GPOS-00059</a>, <a href="">SRG-OS-000378-GPOS-00163</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">020160</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>autofs</code> daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as <code>/misc/cd</code>.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing <code>/etc/fstab</code>
rather than relying on the automounter.
<br><br>

    The <code>autofs</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable autofs.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling the automounter permits the administrator to 
statically control filesystem mounting through <code>/etc/fstab</code>. 
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" id="rule-detail-idp122825648"><div class="keywords sr-only">Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of cramfs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.18</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to prevent the <code>cramfs</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install cramfs /bin/true</pre>
This effectively prevents usage of this uncommon filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" id="rule-detail-idp122829312"><div class="keywords sr-only">Disable Mounting of freevxfsxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of freevxfs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.19</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to prevent the <code>freevxfs</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install freevxfs /bin/true</pre>
This effectively prevents usage of this uncommon filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" id="rule-detail-idp122832976"><div class="keywords sr-only">Disable Mounting of jffs2xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of jffs2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.20</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to prevent the <code>jffs2</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install jffs2 /bin/true</pre>
This effectively prevents usage of this uncommon filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" id="rule-detail-idp122836640"><div class="keywords sr-only">Disable Mounting of hfsxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of hfs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.21</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to prevent the <code>hfs</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install hfs /bin/true</pre>
This effectively prevents usage of this uncommon filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" id="rule-detail-idp122840304"><div class="keywords sr-only">Disable Mounting of hfsplusxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of hfsplus</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.22</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to prevent the <code>hfsplus</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install hfsplus /bin/true</pre>
This effectively prevents usage of this uncommon filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" id="rule-detail-idp122843968"><div class="keywords sr-only">Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of squashfs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.23</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to prevent the <code>squashfs</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install squashfs /bin/true</pre>
This effectively prevents usage of this uncommon filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" id="rule-detail-idp122847632"><div class="keywords sr-only">Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of udf</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.24</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to prevent the <code>udf</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install udf /bin/true</pre>
This effectively prevents usage of this uncommon filesystem.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_userowner_shadow_file" id="rule-detail-idp122851296"><div class="keywords sr-only">Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_userowner_shadow_file mediumCCE-26795-5 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns shadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_userowner_shadow_file</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26795-5">CCE-26795-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the owner of <code>/etc/shadow</code>, run the command:
    <pre xml:space="preserve">$ sudo chown root /etc/shadow</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/shadow</code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_groupowner_shadow_file" id="rule-detail-idp122856208"><div class="keywords sr-only">Verify Group Who Owns shadow Filexccdf_org.ssgproject.content_rule_groupowner_shadow_file mediumCCE-27125-4 </div><div class="panel-heading"><h3 class="panel-title">Verify Group Who Owns shadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_groupowner_shadow_file</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27125-4">CCE-27125-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the group owner of <code>/etc/shadow</code>, run the command:
    <pre xml:space="preserve">$ sudo chgrp root /etc/shadow</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/shadow</code> file stores password hashes. Protection of this file is
critical for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" id="rule-detail-idp122861136"><div class="keywords sr-only">Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow mediumCCE-27100-7 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on shadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27100-7">CCE-27100-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the permissions of <code>/etc/shadow</code>, run the command:
    <pre xml:space="preserve">$ sudo chmod 0000 /etc/shadow</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/shadow</code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_etc_group" id="rule-detail-idp122866096"><div class="keywords sr-only">Verify User Who Owns group Filexccdf_org.ssgproject.content_rule_file_owner_etc_group mediumCCE-26933-2 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns group File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_etc_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26933-2">CCE-26933-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the owner of <code>/etc/group</code>, run the command:
    <pre xml:space="preserve">$ sudo chown root /etc/group</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/group</code> file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" id="rule-detail-idp122871008"><div class="keywords sr-only">Verify Group Who Owns group Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_group mediumCCE-27037-1 </div><div class="panel-heading"><h3 class="panel-title">Verify Group Who Owns group File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_groupowner_etc_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27037-1">CCE-27037-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the group owner of <code>/etc/group</code>, run the command:
    <pre xml:space="preserve">$ sudo chgrp root /etc/group</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/group</code> file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_group" id="rule-detail-idp122875952"><div class="keywords sr-only">Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group mediumCCE-26949-8 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on group File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_group</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26949-8">CCE-26949-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the permissions of <code>/etc/group</code>, run the command:
    <pre xml:space="preserve">$ sudo chmod 644 /etc/group</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/group</code> file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" id="rule-detail-idp122880912"><div class="keywords sr-only">Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow mediumCCE-27161-9 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns gshadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27161-9">CCE-27161-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the owner of <code>/etc/gshadow</code>, run the command:
    <pre xml:space="preserve">$ sudo chown root /etc/gshadow</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/gshadow</code> file contains group password hashes. Protection of this file
is critical for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" id="rule-detail-idp122885840"><div class="keywords sr-only">Verify Group Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow mediumCCE-26840-9 </div><div class="panel-heading"><h3 class="panel-title">Verify Group Who Owns gshadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26840-9">CCE-26840-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the group owner of <code>/etc/gshadow</code>, run the command:
    <pre xml:space="preserve">$ sudo chgrp root /etc/gshadow</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/gshadow</code> file contains group password hashes. Protection of this file
is critical for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" id="rule-detail-idp122890800"><div class="keywords sr-only">Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow mediumCCE-27162-7 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on gshadow File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27162-7">CCE-27162-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the permissions of <code>/etc/gshadow</code>, run the command:
    <pre xml:space="preserve">$ sudo chmod 0000 /etc/gshadow</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/gshadow</code> file contains group password hashes. Protection of this file
is critical for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" id="rule-detail-idp122895760"><div class="keywords sr-only">Verify User Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_owner_etc_passwd mediumCCE-27138-7 </div><div class="panel-heading"><h3 class="panel-title">Verify User Who Owns passwd File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_owner_etc_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27138-7">CCE-27138-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the owner of <code>/etc/passwd</code>, run the command:
    <pre xml:space="preserve">$ sudo chown root /etc/passwd</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/passwd</code> file contains information about the users that are configured on
the system. Protection of this file is critical for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" id="rule-detail-idp122900672"><div class="keywords sr-only">Verify Group Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd mediumCCE-26639-5 </div><div class="panel-heading"><h3 class="panel-title">Verify Group Who Owns passwd File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26639-5">CCE-26639-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the group owner of <code>/etc/passwd</code>, run the command:
    <pre xml:space="preserve">$ sudo chgrp root /etc/passwd</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>/etc/passwd</code> file contains information about the users that are configured on
the system. Protection of this file is critical for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" id="rule-detail-idp122905632"><div class="keywords sr-only">Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd mediumCCE-26887-0 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on passwd File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26887-0">CCE-26887-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To properly set the permissions of <code>/etc/passwd</code>, run the command:
    <pre xml:space="preserve">$ sudo chmod 0644 /etc/passwd</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the <code>/etc/passwd</code> file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" id="rule-detail-idp122910592"><div class="keywords sr-only">Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs mediumCCE-26966-2 </div><div class="panel-heading"><h3 class="panel-title">Verify that Shared Library Files Have Restrictive Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_library_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26966-2">CCE-26966-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre>/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are
stored in <code>/lib/modules</code>. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
<pre>$ sudo chmod go-w <i>FILE</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" id="rule-detail-idp122915552"><div class="keywords sr-only">Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs mediumCCE-26648-6 </div><div class="panel-heading"><h3 class="panel-title">Verify that Shared Library Files Have Root Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_library_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26648-6">CCE-26648-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20130914 by swells</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre>/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are also
stored in <code>/lib/modules</code>. All files in these directories should be
owned by the <code>root</code> user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
<pre>$ sudo chown root <i>FILE</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" id="rule-detail-idp122920512"><div class="keywords sr-only">Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs mediumCCE-27075-1 </div><div class="panel-heading"><h3 class="panel-title">Verify that System Executables Have Restrictive Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27075-1">CCE-27075-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
System executables are stored in the following directories by default:
<pre>/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin</pre>
All files in these directories should not be group-writable or world-writable.
If any file <i>FILE</i> in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
<pre>$ sudo chmod go-w <i>FILE</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" id="rule-detail-idp122925472"><div class="keywords sr-only">Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs mediumCCE-27119-7 </div><div class="panel-heading"><h3 class="panel-title">Verify that System Executables Have Root Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27119-7">CCE-27119-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
System executables are stored in the following directories by default:
<pre>/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin</pre>
All files in these directories should be owned by the <code>root</code> user.
If any file <i>FILE</i> in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<pre>$ sudo chown root <i>FILE</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-detail-idp122930432"><div class="keywords sr-only">Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Verify that All World-Writable Directories Have Sticky Bits Set</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.1.17</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120929 by swells</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
<br>
To set the sticky bit on a world-writable directory <i>DIR</i>, run the
following command:
<pre>$ sudo chmod +t <i>DIR</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
<br><br>
The only authorized public directories are those temporary directories supplied with the system, 
or those designed to be temporary file repositories.  The setting is normally reserved for directories 
used by the system, by users for temporary file storage (such as <code>/tmp</code>), and for directories 
requiring global read/write access.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-detail-idp122935408"><div class="keywords sr-only">Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure No World-Writable Files Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>It is generally a good idea to remove global (other) write
access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user
account.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-detail-idp122940416"><div class="keywords sr-only">Ensure All SGID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure All SGID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SGID (set group id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SGID files. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Executable files with the SGID permission run with the privileges of
the owner of the file. SGID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-detail-idp122945376"><div class="keywords sr-only">Ensure All SUID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure All SUID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SUID (set user id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SUID files. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Executable files with the SUID permission run with the privileges of
the owner of the file. SUID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" id="rule-detail-idp122950336"><div class="keywords sr-only">Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure All Files Are Owned by a User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_files_unowned_by_user</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T02:59:54</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">020360</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" id="rule-detail-idp122953984"><div class="keywords sr-only">Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure All Files Are Owned by a Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">020370</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" id="rule-detail-idp122957648"><div class="keywords sr-only">Ensure All World-Writable Directories Are Owned by a System Accountxccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure All World-Writable Directories Are Owned by a System Account</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120929 by swells</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>All directories in local partitions which are
world-writable should be owned by root or another
system account.  If any world-writable directories are not
owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Allowing a user account to own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_umask_for_daemons" id="rule-detail-idp122962608"><div class="keywords sr-only">Set Daemon Umaskxccdf_org.ssgproject.content_rule_umask_for_daemons lowCCE-27068-6 </div><div class="panel-heading"><h3 class="panel-title">Set Daemon Umask</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_umask_for_daemons</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27068-6">CCE-27068-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140912 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The file <code>/etc/init.d/functions</code> includes initialization
parameters for most or all daemons started at boot time.  The default umask of
022 prevents creation of group- or world-writable files.  To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
<i>UMASK</i> appropriately:
<pre>umask <i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_umask_for_daemons">022</abbr></i></pre>
Setting the umask to too restrictive a setting can cause serious errors at
runtime.  Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask influences the permissions assigned to files created by a
process at run time.  An unnecessarily permissive umask could result in files
being created with insecure permissions.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_disable_users_coredumps" id="rule-detail-idp122967072"><div class="keywords sr-only">Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Core Dumps for All Users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_users_coredumps</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.6.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To disable core dumps for all users, add the following line to
<code>/etc/security/limits.conf</code>:
<pre>*     hard   core    0</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" id="rule-detail-idp122972000"><div class="keywords sr-only">Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable lowCCE-26900-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Core Dumps for SUID programs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26900-1">CCE-26900-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.6.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>fs.suid_dumpable</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w fs.suid_dumpable=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">fs.suid_dumpable = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The core dump of a setuid program is more likely to contain
sensitive data, as the program itself runs with greater privileges than the
user who initiated execution of the program.  Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Set runtime for fs.suid_dumpable
#
sysctl -q -n -w fs.suid_dumpable=0

#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#       else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
        sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
else
        echo -e "\n# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf
        echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-detail-idp122975648"><div class="keywords sr-only">Enable ExecShieldxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-27211-2 </div><div class="panel-heading"><h3 class="panel-title">Enable ExecShield</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27211-2">CCE-27211-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2530</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield
is enabled and can only be disabled if the hardware does not support ExecShield
or is disabled in <code>/etc/default/grub</code>. For Red Hat Enterprise Linux 7 
32-bit systems, <code>sysctl</code> can be used to enable ExecShield.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range. This is enabled by default on the latest Red Hat and Fedora 
systems if supported by the hardware.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-detail-idp122979312"><div class="keywords sr-only">Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-27127-0 </div><div class="panel-heading"><h3 class="panel-title">Enable Randomized Layout of Virtual Address Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27127-0">CCE-27127-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.6.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w kernel.randomize_va_space=2</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">kernel.randomize_va_space = 2</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p> Address space layout randomization (ASLR) makes it more difficult
for an attacker to predict the location of attack code they have introduced
into a process's address space during an attempt at exploitation.  Additionally, ASLR 
makes it more difficult for an attacker to know the location of existing code
in order to re-purpose it using return oriented programming (ROP) techniques.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Set runtime for kernel.randomize_va_space
#
sysctl -q -n -w kernel.randomize_va_space=2

# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' 'CCENUM'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" id="rule-detail-idp122982976"><div class="keywords sr-only">Install PAE Kernel on Supported 32-bit x86 Systemsxccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32 lowCCE-27116-3 </div><div class="panel-heading"><h3 class="panel-title">Install PAE Kernel on Supported 32-bit x86 Systems</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27116-3">CCE-27116-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support:
<pre>$ sudo yum install kernel-PAE</pre>
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this at reboot
and modify <code>/etc/default/grub</code> if necessary.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>On 32-bit systems that support the XD or NX bit, the vendor-supplied
PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        The kernel-PAE package should not be
installed on older systems that do not support the XD or NX bit, as
this may prevent them from booting.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" id="rule-detail-idp122986640"><div class="keywords sr-only">Enable NX or XD Support in the BIOSxccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions lowCCE-27099-1 </div><div class="panel-heading"><h3 class="panel-title">Enable NX or XD Support in the BIOS</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27099-1">CCE-27099-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Reboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-detail-idp122989600"><div class="keywords sr-only">Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-27050-4 </div><div class="panel-heading"><h3 class="panel-title">Restrict Access to Kernel Message Buffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27050-4">CCE-27050-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w kernel.dmesg_restrict=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">kernel.dmesg_restrict = 1</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unprivileged access to the kernel syslog can expose sensitive kernel 
address information.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Set runtime for kernel.dmesg_restrict
#
sysctl -q -n -w kernel.dmesg_restrict=1

#
# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
#       else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
#
if grep --silent ^kernel.dmesg_restrict /etc/sysctl.conf ; then
        sed -i 's/^kernel.dmesg_restrict.*/kernel.dmesg_restrict = 1/g' /etc/sysctl.conf
else
        echo -e "\n# Set kernel.dmesg_restrict to 1 per security requirements" >> /etc/sysctl.conf
        echo "kernel.dmesg_restrict = 1" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_enable_selinux_bootloader" id="rule-detail-idp122993312"><div class="keywords sr-only">Ensure SELinux Not Disabled in /etc/default/grubxccdf_org.ssgproject.content_rule_enable_selinux_bootloader mediumCCE-26961-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux Not Disabled in /etc/default/grub</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_selinux_bootloader</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26961-3">CCE-26961-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">22</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">32</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SELinux can be disabled at boot time by an argument in
<code>/etc/default/grub</code>.
Remove any instances of <code>selinux=0</code> from the kernel arguments in that
file to prevent SELinux from being disabled at boot.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Disabling a major host protection feature, such as SELinux, at boot time prevents
it from confining system services at boot time.  Further, it increases
the chances that it will remain off during system operation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idp122996976"><div class="keywords sr-only">Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state mediumCCE-27334-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27334-2">CCE-27334-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at
system boot time.  In the file <code>/etc/selinux/config</code>, add or correct the
following line to configure the system to boot into enforcing mode:
<pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
populate var_selinux_state

replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state 'CCENUM' '%s=%s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idp123001424"><div class="keywords sr-only">Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype lowCCE-27279-9 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27279-9">CCE-27279-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux <code>targeted</code> policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in <code>/etc/selinux/config</code>:
<pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre>
Other policies, such as <code>mls</code>, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Setting the SELinux policy to <code>targeted</code> or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in <code>permissive</code> mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
<code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" id="rule-detail-idp123005888"><div class="keywords sr-only">Uninstall setroubleshoot Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot_removed lowCCE- </div><div class="panel-heading"><h3 class="panel-title">Uninstall setroubleshoot Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-">CCE-</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.

    The <code>setroubleshoot</code> package can be removed with the following command:
    <pre>$ sudo yum erase setroubleshoot</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The SETroubleshoot service is an unnecessary daemon to
have running on a server</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_mcstrans_removed" id="rule-detail-idp123009552"><div class="keywords sr-only">Uninstall mcstrans Packagexccdf_org.ssgproject.content_rule_package_mcstrans_removed lowCCE- </div><div class="panel-heading"><h3 class="panel-title">Uninstall mcstrans Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_mcstrans_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-">CCE-</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>mcstransd</code> daemon provides category label information
to client processes requesting information. The label translations are defined
in <code>/etc/selinux/targeted/setrans.conf</code>.

    The <code>mcstrans</code> package can be removed with the following command:
    <pre>$ sudo yum erase mcstrans</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Since this service is not used very often, disable it to reduce the
amount of potentially vulnerable code running on the system.

NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please
note that Red Hat does not feel this rule is security relevant.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" id="rule-detail-idp123013200"><div class="keywords sr-only">Ensure No Daemons are Unconfined by SELinuxxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons mediumCCE-27288-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure No Daemons are Unconfined by SELinux</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27288-0">CCE-27288-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.4.6</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the <code>init</code> process, they inherit the <code>initrc_t</code> context.
<br>
<br>
To check for unconfined daemons, run the following command:
<pre>$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'</pre>
It should produce no output in a well-configured system.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Daemons which run with the <code>initrc_t</code> context may cause AVC denials,
or allow privileges that the daemon does not require.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" id="rule-detail-idp123016864"><div class="keywords sr-only">Ensure No Device Files are Unlabeled by SELinuxxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled lowCCE-27326-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure No Device Files are Unlabeled by SELinux</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27326-8">CCE-27326-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">22</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">32</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Device files, which are used for communication with important
system resources, should be labeled with proper SELinux types. If any device
files carry the SELinux type <code>device_t</code>, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If a device file carries the SELinux type <code>device_t</code>, then SELinux
cannot properly restrict access to the device file.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_no_direct_root_logins" id="rule-detail-idp123020528"><div class="keywords sr-only">Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-27294-8 </div><div class="panel-heading"><h3 class="panel-title">Direct root Logins Not Allowed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_direct_root_logins</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27294-8">CCE-27294-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.4</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To further limit access to the <code>root</code> account, administrators
can disable root logins at the console by editing the <code>/etc/securetty</code> file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to his machine as root via Telnet, which sends the password in
plain text over the network. By default, Red Hat Enteprise Linux's
<code>/etc/securetty</code> file only allows the root user to login at the console
physically attached to the machine. To prevent root from logging in, remove the
contents of this file. To prevent direct root logins, remove the contents of this
file by typing the following command:
<pre>
$ sudo echo > /etc/securetty
</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This is required for FISMA Low
and FISMA Moderate systems.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>echo > /etc/securetty
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" id="rule-detail-idp123024160"><div class="keywords sr-only">Restrict Virtual Console Root Loginsxccdf_org.ssgproject.content_rule_securetty_root_login_console_only mediumCCE-27318-5 </div><div class="panel-heading"><h3 class="panel-title">Restrict Virtual Console Root Logins</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_securetty_root_login_console_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27318-5">CCE-27318-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in <code>/etc/securetty</code>:
<pre>vc/1
vc/2
vc/3
vc/4</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>sed -i '/^vc\//d' /etc/securetty
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" id="rule-detail-idp123027824"><div class="keywords sr-only">Restrict Serial Port Root Loginsxccdf_org.ssgproject.content_rule_restrict_serial_port_logins lowCCE-27268-2 </div><div class="panel-heading"><h3 class="panel-title">Restrict Serial Port Root Logins</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_restrict_serial_port_logins</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27268-2">CCE-27268-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To restrict root logins on serial ports,
ensure lines of this form do not appear in <code>/etc/securetty</code>:
<pre>ttyS0
ttyS1</pre>

</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>sed -i '/ttyS/d' /etc/securetty
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_no_root_webbrowsing" id="rule-detail-idp123031488"><div class="keywords sr-only">Restrict Web Browser Use for Administrative Accountsxccdf_org.ssgproject.content_rule_no_root_webbrowsing lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Restrict Web Browser Use for Administrative Accounts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_root_webbrowsing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Enforce policy requiring administrative accounts use web browsers only for
local service administration.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If a browser vulnerability is exploited while running with administrative privileges,
the entire system could be compromised. Specific exceptions for local service
administration should be documented in site-defined policy.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="rule-detail-idp123035120"><div class="keywords sr-only">Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-26448-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure that System Accounts Do Not Run a Shell Upon Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26448-1">CCE-26448-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
<br><br>
The login shell for each local account is stored in the last field of each line
in <code>/etc/passwd</code>. System accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field.
If any system account <i>SYSACCT</i> (other than root) has a login shell,
disable it with the command:
<pre>$ sudo usermod -s /sbin/nologin <i>SYSACCT</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Ensuring shells are not given to system accounts upon login
makes it more difficult for attackers to make use of
system accounts.
</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        
Do not perform the steps in this
section on the root account. Doing so might cause the system to
become inaccessible.
</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-detail-idp123040080"><div class="keywords sr-only">Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-27175-9 </div><div class="panel-heading"><h3 class="panel-title">Verify Only Root Has UID 0</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27175-9">CCE-27175-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">020310</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
If any account other than root has a UID of 0, this misconfiguration should 
be investigated and the accounts other than root should be removed or 
have their UID changed.
<br>
If the account is associated with system commands or applications the UID should be changed
to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that
has not already been assigned.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_root_path_default" id="rule-detail-idp123043744"><div class="keywords sr-only">Root Path Must Be Vendor Defaultxccdf_org.ssgproject.content_rule_root_path_default lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Root Path Must Be Vendor Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_root_path_default</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Assuming root shell is bash, edit the following files:
<pre>~/.profile</pre>
<pre>~/.bashrc</pre>
Change any <code>PATH</code> variables to the vendor default for root and remove any
empty <code>PATH</code> entries or references to relative paths.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The root account's executable search path must be the vendor default, and must
contain only absolute paths.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-detail-idp123047376"><div class="keywords sr-only">Prevent Log In to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-27286-4 </div><div class="panel-heading"><h3 class="panel-title">Prevent Log In to Accounts With Empty Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27286-4">CCE-27286-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">010260</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the <code>nullok</code>
option in <code>/etc/pam.d/system-auth</code> to
prevent logins with empty passwords.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" id="rule-detail-idp123051008"><div class="keywords sr-only">Verify All Account Password Hashes are Shadowedxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed mediumCCE-27352-4 </div><div class="panel-heading"><h3 class="panel-title">Verify All Account Password Hashes are Shadowed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27352-4">CCE-27352-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
If any password hashes are stored in <code>/etc/passwd</code> (in the second field,
instead of an <code>x</code>), the cause of this misconfiguration should be
investigated.  The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The hashes for all user account passwords should be stored in
the file <code>/etc/shadow</code> and never in <code>/etc/passwd</code>,
which is readable by all users.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_gid_passwd_group_same" id="rule-detail-idp123054672"><div class="keywords sr-only">All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same lowCCE-27503-2 </div><div class="panel-heading"><h3 class="panel-title">All GIDs referenced in /etc/passwd must be defined in /etc/group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_gid_passwd_group_same</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27503-2">CCE-27503-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</a>, <a href="">SRG-OS-000104-GPOS-00051</a>, <a href="">020300</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.5.a</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Add a group to the system for each GID referenced without a corresponding group.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to
any files associated with the group.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_no_netrc_files" id="rule-detail-idp123058304"><div class="keywords sr-only">Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Verify No netrc Files Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_netrc_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>.netrc</code> files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used.  Any <code>.netrc</code> files should be removed.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Unencrypted passwords for remote FTP servers may be stored in <code>.netrc</code>
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-detail-idp123063216"><div class="keywords sr-only">Set Password Minimum Length in login.defsxccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs mediumCCE-27123-9 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Length in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27123-9">CCE-27123-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password length requirements for new accounts,
edit the file <code>/etc/login.defs</code> and add or correct the following
lines:
<pre>PASS_MIN_LEN 14</pre>
<br><br>
The DoD requirement is <code>14</code>. 
The FISMA requirement is <code>12</code>.
If a program consults <code>/etc/login.defs</code> and also another PAM module
(such as <code>pam_pwquality</code>) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" id="rule-detail-idp123069040"><div class="keywords sr-only">Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-27002-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27002-5">CCE-27002-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">198</a>, <a href="">SRG-OS-000075-GPOS-00043</a>, <a href="">010200</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password minimum age for new accounts,
edit the file <code>/etc/login.defs</code>
and add or correct the following line, replacing <i>DAYS</i> appropriately:
<pre>PASS_MIN_DAYS <i>DAYS</i></pre>
A value of 1 day is considered for sufficient for many
environments. The DoD requirement is 1. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat
the password reuse or history enforcement requirement. If users are allowed to immediately
and continually change their password, then the password could be repeatedly changed in a 
short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password
after satisfying the password reuse requirement.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_accounts_minimum_age_login_defs="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr>"
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-detail-idp123073552"><div class="keywords sr-only">Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-27051-2 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27051-2">CCE-27051-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">199</a>, <a href="">SRG-OS-000076-GPOS-00044</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.4</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">7.1.1</a>, <a href="">010220</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password maximum age for new accounts,
edit the file <code>/etc/login.defs</code>
and add or correct the following line, replacing <i>DAYS</i> appropriately:
<pre>PASS_MAX_DAYS <i>DAYS</i></pre>
A value of 180 days is sufficient for many environments. 
The DoD requirement is 60.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised. 

Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_accounts_maximum_age_login_defs="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr>"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" id="rule-detail-idp123078064"><div class="keywords sr-only">Set Password Warning Agexccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs lowCCE-26486-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Warning Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26486-1">CCE-26486-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <code>/etc/login.defs</code> and add or correct
 the following line, replacing <i>DAYS</i> appropriately:
<pre>PASS_WARN_AGE <i>DAYS</i></pre>
The DoD requirement is 7.

</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Setting the password warning age enables users to
make the change at a practical time.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" id="rule-detail-idp123083904"><div class="keywords sr-only">Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-27355-7 </div><div class="panel-heading"><h3 class="panel-title">Set Account Expiration Following Inactivity</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27355-7">CCE-27355-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(e)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">795</a>, <a href="">SRG-OS-000118-GPOS-00060</a>, <a href="">010280</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in <code>/etc/default/useradd</code>, substituting
<code><i>NUM_DAYS</i></code> appropriately:
<pre>INACTIVE=<i>UNDEFINED_SUB</i></pre>
A value of 35 is recommended.  
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
<code>useradd</code> man page for more information.  Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_account_disable_post_pw_expiration="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration">0</abbr>"
grep -q ^INACTIVE /etc/default/useradd && \
  sed -i "s/INACTIVE.*/INACTIVE=$var_account_disable_post_pw_expiration/g" /etc/default/useradd
if ! [ $? -eq 0 ]; then
    echo "INACTIVE=$var_account_disable_post_pw_expiration" >> /etc/default/useradd
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_account_unique_name" id="rule-detail-idp123088432"><div class="keywords sr-only">Ensure All Accounts on the System Have Unique Namesxccdf_org.ssgproject.content_rule_account_unique_name lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure All Accounts on the System Have Unique Names</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_account_unique_name</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">804</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Change usernames, or delete accounts, so each has a unique name.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Unique usernames allow for accountability on the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_account_temp_expire_date" id="rule-detail-idp123093344"><div class="keywords sr-only">Assign Expiration Date to Temporary Accountsxccdf_org.ssgproject.content_rule_account_temp_expire_date lowCCE-27498-5 </div><div class="panel-heading"><h3 class="panel-title">Assign Expiration Date to Temporary Accounts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_account_temp_expire_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27498-5">CCE-27498-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">16</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1682</a>, <a href="">2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Temporary accounts are established as part of normal account activation procedures
when there is a need for short-term accounts. In the event temporary 
or emergency accounts are required, configure the system to terminate 
them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting <code><i>USER</i></code> and <code><i>YYYY-MM-DD</i></code> appropriately:
<pre>$ sudo chage -E <i>YYYY-MM-DD USER</i></pre>
<code><i>YYYY-MM-DD</i></code> indicates the documented expiration date for the account.
For U.S. Government systems, the operating system must be configured to automatically terminate
these typoes of accounts after a period of 72 hours.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
<br>
</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" id="rule-detail-idp123101280"><div class="keywords sr-only">Set Password Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry lowCCE-27160-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Retry Prompts Permitted Per-Session</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_retry</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27160-1">CCE-27160-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="">SRG-OS-000480-GPOS-00225</a>, <a href="">010410</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140925 by swells</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the number of retry prompts that are permitted per-session:
<br><br>
Edit the <code>pam_pwquality.so</code> statement in <code>/etc/pam.d/system-auth</code> to 
show <code>retry=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_retry">3</abbr></code>, or a lower value if site policy is more restrictive.
<br><br>
The DoD requirement is a maximum of 3 prompts per session.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_retry="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_retry">3</abbr>"
if grep -q "retry=" /etc/pam.d/system-auth; then   
        sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth
else
        sed -i --follow-symlinks "/pam_pwquality.so/ s/$/ retry=$var_password_pam_retry/" /etc/pam.d/system-auth
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" id="rule-detail-idp123105776"><div class="keywords sr-only">Set Password to Maximum of Three Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-27333-4 </div><div class="panel-heading"><h3 class="panel-title">Set Password to Maximum of Three Consecutive Repeating Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27333-4">CCE-27333-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">195</a>, <a href="">SRG-OS-000072-GPOS-00040</a>, <a href="">010150</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the <code>maxrepeat</code> setting
in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">2</abbr> to prevent a 
run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">2</abbr> + 1) or more identical characters.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources required to compromise the password. 
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at 
guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before the
password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_maxrepeat="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">2</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat 'CCE-27333-4' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" id="rule-detail-idp123110288"><div class="keywords sr-only">Set Password to Maximum of Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat lowCCE-27512-3 </div><div class="panel-heading"><h3 class="panel-title">Set Password to Maximum of Consecutive Repeating Characters from Same Character Class</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27512-3">CCE-27512-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">195</a>, <a href="">SRG-OS-000072-GPOS-00040</a>, <a href="">010160</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
<code>maxclassrepeat</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">2</abbr>
to prevent a run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">2</abbr> + 1) or more identical characters.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources required to comrpomise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
<br>
Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex a password, the greater the number of possible combinations that need to be tested before the
password is compromised.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-detail-idp123114800"><div class="keywords sr-only">Set Password Strength Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-27214-6 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Digit Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27214-6">CCE-27214-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">194</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">194</a>, <a href="">SRG-OS-000071-GPOS-00039</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="">010110</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>dcredit</code> parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the <code>dcredit</code> setting in 
<code>/etc/security/pwquality.conf</code> to require the use of a digit in passwords.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks. 

Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of 
possble combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_dcredit="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_dcredit">-1</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit 'CCE-27214-6' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idp123119296"><div class="keywords sr-only">Set Password Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-27293-0 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27293-0">CCE-27293-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">205</a>, <a href="">SRG-OS-000078-GPOS-00046</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="">010250</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140928 by swells</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>minlen</code> parameter controls requirements for
minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">15</abbr></code>
after pam_pwquality to set minimum password length requirements.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
<br>
Password complexity, or strength, is a measure of the effectiveness of a 
password in resisting attempts at guessing and brute-force attacks. 
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to 
compromose the password.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_minlen="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">15</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen 'CCE-27293-0' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-detail-idp123123792"><div class="keywords sr-only">Set Password Strength Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit lowCCE-27200-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Uppercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27200-5">CCE-27200-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">192</a>, <a href="">SRG-OS-000069-GPOS-00037</a>, <a href="">010090</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the <code>ucredit</code> setting in
<code>/etc/security/pwquality.conf</code> to require the use of an uppercase character in passwords.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
<br>
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_ucredit="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ucredit">-1</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit 'CCE-27200-5' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-detail-idp123128288"><div class="keywords sr-only">Set Password Strength Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-27360-7 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Special Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27360-7">CCE-27360-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1619</a>, <a href="">SRG-OS-000266-GPOS-00101</a>, <a href="">010120</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number, any password will be
required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 
additional length credit for each special character. Modify the <code>ocredit</code> setting in 
<code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr> to require use of a special character in passwords.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks. 

Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of 
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_ocredit="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit 'CCE-27360-7' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-detail-idp123132784"><div class="keywords sr-only">Set Password Strength Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-27345-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Lowercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27345-8">CCE-27345-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">193</a>, <a href="">SRG-OS-000070-GPOS-00038</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="">010100</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>lcredit</code> parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the <code>lcredit</code> setting in 
<code>/etc/security/pwquality.conf</code> to require the use of a lowercase character in passwords.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks. 

Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of 
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_lcredit="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_lcredit">-1</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit 'CCE-27345-8' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" id="rule-detail-idp123137280"><div class="keywords sr-only">Set Password Strength Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-26631-2 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Different Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_difok</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26631-2">CCE-26631-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">195</a>, <a href="">SRG-OS-000072-GPOS-00040</a>, <a href="">010130</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>difok</code> parameter sets the number of characters
in a password that must not be present in and old password during a password change. 

Modify the <code>difok</code> setting in <code>/etc/security/pwquality.conf</code>
to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_difok">5</abbr> to require differing characters 
when changing passwords.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources 
required to compromise the password. Password complexity, or strength, 
is a measure of the effectiveness of a password in resisting attempts 
at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long 
it takes to crack a password. The more complex the password, the 
greater the number of possible combinations that need to be tested 
before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_difok="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_difok">5</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok 'CCE-26631-2' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" id="rule-detail-idp123141776"><div class="keywords sr-only">Set Password Strength Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-27115-5 </div><div class="panel-heading"><h3 class="panel-title">Set Password Strength Minimum Different Categories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27115-5">CCE-27115-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">195</a>, <a href="">SRG-OS-000072-GPOS-00040</a>, <a href="">010140</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140626 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>minclass</code> parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
<pre>
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
</pre>
Modify the <code>minclass</code> setting in <code>/etc/security/pwquality.conf</code> entry to require <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minclass">4</abbr> 
differing categories of characters when changing passwords. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts 
at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The
more complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult 
by ensuring a larger search space.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_minclass="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minclass">4</abbr>"
replace_or_append '/etc/security/pwquality.conf' '^minclass' $var_password_pam_minclass 'CCE-27115-5' '%s = %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idp123146288"><div class="keywords sr-only">Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-27350-8 </div><div class="panel-heading"><h3 class="panel-title">Set Deny For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27350-8">CCE-27350-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2238</a>, <a href="">SRG-OS-000329-GPOS-00128</a>, <a href="">SRG-OS-000021-GPOS-00005</a>, <a href="">010370</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.6</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to lock out accounts after a number of incorrect login
attempts using <code>pam_faillock.so</code>, modify the content of both
<code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows:
<br><br>
<ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section:
<pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">604800</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section:
<pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">604800</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section:
<pre>account required pam_faillock.so</pre></li></ul>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_accounts_passwords_pam_faillock_deny="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr>"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
        
        # pam_faillock.so already present?
        if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

                # pam_faillock.so present, deny directive present?
                if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then

                        # both pam_faillock.so & deny present, just correct deny directive value
                        sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
                        sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile

                # pam_faillock.so present, but deny directive not yet
                else

                        # append correct deny value to appropriate places
                        sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
                        sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
                fi

        # pam_faillock.so not present yet
        else

                # insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
                sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
                sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
                sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
        fi
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idp123150816"><div class="keywords sr-only">Set Lockout Time For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-26884-7 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26884-7">CCE-26884-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">002238</a>, <a href="">SRG-OS-000329-GPOS-00128</a>, <a href="">SRG-OS-000021-GPOS-00005</a>, <a href="">010371</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using <code>pam_faillock.so</code>,
modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows:
<br><br>
<ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section:
<pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">604800</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section:
<pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">604800</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section:
<pre>account required pam_faillock.so</pre></li></ul>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.  Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_accounts_passwords_pam_faillock_unlock_time="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">604800</abbr>"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
        
        # pam_faillock.so already present?
        if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

                # pam_faillock.so present, unlock_time directive present?
                if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*unlock_time=" $pamFile; then

                        # both pam_faillock.so & unlock_time present, just correct unlock_time directive value
                        sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
                        sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile

                # pam_faillock.so present, but unlock_time directive not yet
                else

                        # append correct unlock_time value to appropriate places
                        sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
                        sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
                fi

        # pam_faillock.so not present yet
        else

                # insert pam_faillock.so preauth & authfail rows with proper value of the 'unlock_time' option
                sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
                sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
                sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
        fi
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idp123155392"><div class="keywords sr-only">Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-27297-1 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27297-1">CCE-27297-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">44</a>, <a href="">21</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out accounts after a number of incorrect login
attempts. Modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows:
<br><br>
<ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section:
<pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">604800</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section:
<pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">604800</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section:
<pre>account required pam_faillock.so</pre></li></ul>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_accounts_passwords_pam_faillock_fail_interval="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr>"
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
        
        # pam_faillock.so already present?
        if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

                # pam_faillock.so present, 'fail_interval' directive present?
                if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*fail_interval=" $pamFile; then

                        # both pam_faillock.so & 'fail_interval' present, just correct 'fail_interval' directive value
                        sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(fail_interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
                        sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(fail_interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile

                # pam_faillock.so present, but 'fail_interval' directive not yet
                else

                        # append correct 'fail_interval' value to appropriate places
                        sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ fail_interval=$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
                        sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ fail_interval=$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
                fi

        # pam_faillock.so not present yet
        else

                # insert pam_faillock.so preauth & authfail rows with proper value of the 'fail_interval' option
                sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent fail_interval=$var_accounts_passwords_pam_faillock_fail_interval" $pamFile
                sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail fail_interval=$var_accounts_passwords_pam_faillock_fail_interval" $pamFile
                sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
        fi
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-detail-idp123159952"><div class="keywords sr-only">Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-26923-3 </div><div class="panel-heading"><h3 class="panel-title">Limit Password Reuse</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26923-3">CCE-26923-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(e)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">200</a>, <a href="">SRG-OS-000077-GPOS-00045</a>, <a href="">010240</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.4</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Do not allow users to reuse recent passwords. This can be
accomplished by using the <code>remember</code> option for the <code>pam_unix</code>
or <code>pam_pwhistory</code> PAM modules. In the file
<code>/etc/pam.d/system-auth</code>, append <code>remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></code>
to the line which refers to the <code>pam_unix.so</code> or
<code>pam_pwhistory.so</code>module, as shown below:
<ul><li>for the <code>pam_unix.so</code> case:
<pre>password sufficient pam_unix.so <i>existing_options</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre>
</li><li>for the <code>pam_pwhistory.so</code> case:
<pre>password requisite pam_pwhistory.so <i>existing_options</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre>
</li></ul>
The DoD STIG requirement is 5 passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_password_pam_unix_remember="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr>"
if grep -q "remember=" /etc/pam.d/system-auth; then   
        sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
else
        sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" id="rule-detail-idp123164464"><div class="keywords sr-only">Set PAM's Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-27104-9 </div><div class="panel-heading"><h3 class="panel-title">Set PAM's Password Hashing Algorithm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27104-9">CCE-27104-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</a>, <a href="">SRG-OS-000073-GPOS-00041</a>, <a href="">010170</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The PAM system service can be configured to only store encrypted representations of passwords.
In <code>/etc/pam.d/system-auth</code>, the <code>password</code> section of the file controls 
which PAM modules execute during a password change. Set the <code>pam_unix.so</code> 
module in the <code>password</code> section to include the argument <code>sha512</code>, as shown below:
<br>
<pre>password    sufficient    pam_unix.so sha512 <i>other arguments...</i></pre>
<br>
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm. This is the default.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Passwords need to be protected at all times, and encryption is the standard method for protecting
passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily
compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they 
are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only
encrypted representations of passwords. Additionally, the <code>crypt_style</code> configuration option
ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. 
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" id="rule-detail-idp123168160"><div class="keywords sr-only">Set Password Hashing Algorithm in /etc/login.defsxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs mediumCCE-27124-7 </div><div class="panel-heading"><h3 class="panel-title">Set Password Hashing Algorithm in /etc/login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27124-7">CCE-27124-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</a>, <a href="">SRG-OS-000073-GPOS-00041</a>, <a href="">010180</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.3.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
In <code>/etc/login.defs</code>, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
<pre>ENCRYPT_METHOD SHA512</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" id="rule-detail-idp123171840"><div class="keywords sr-only">Set Password Hashing Algorithm in /etc/libuser.confxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf mediumCCE-27053-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Hashing Algorithm in /etc/libuser.conf</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27053-8">CCE-27053-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</a>, <a href="">SRG-OS-000073-GPOS-00041</a>, <a href="">010190</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
In <code>/etc/libuser.conf</code>, add or correct the following line in its
<code>[defaults]</code> section to ensure the system will use the SHA-512
algorithm for password hashing:
<pre>crypt_style = sha512</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Passwords need to be protected at all times, and encryption is the standard method for protecting
passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily
compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they 
are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only
encrypted representations of passwords. Additionally, the <code>crypt_style</code> configuration option
ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult. 
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-detail-idp123097632"><div class="keywords sr-only">Set Last Logon/Access Notificationxccdf_org.ssgproject.content_rule_display_login_attempts lowCCE-27275-7 </div><div class="panel-heading"><h3 class="panel-title">Set Last Logon/Access Notification</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_display_login_attempts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27275-7">CCE-27275-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">53</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to notify users of last logon/access
using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code> settings in
<code>/etc/pam.d/postlogin</code> to read as follows:
<pre>session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_root_path_no_dot" id="rule-detail-idp123184544"><div class="keywords sr-only">Ensure that Root's Path Does Not Include Relative Paths or Null Directoriesxccdf_org.ssgproject.content_rule_root_path_no_dot lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure that Root's Path Does Not Include Relative Paths or Null Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_root_path_no_dot</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Ensure that none of the directories in root's path is equal to a single
<code>.</code> character, or
that it contains any instances that lead to relative path traversal, such as
<code>..</code> or beginning a path without the slash (<code>/</code>) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
<pre>PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin</pre>
These empty elements have the same effect as a single <code>.</code> character.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Including these entries increases the risk that root could
execute code from an untrusted location.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write" id="rule-detail-idp123188176"><div class="keywords sr-only">Ensure that Root's Path Does Not Include World or Group-Writable Directoriesxccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure that Root's Path Does Not Include World or Group-Writable Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
For each element in root's path, run:
<pre># ls -ld <i>DIR</i></pre>
and ensure that write permissions are disabled for group and
other.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-detail-idp123198096"><div class="keywords sr-only">Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Bash Umask is Set Correctly</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140912 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> to read
as follows:
<pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">027</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc" id="rule-detail-idp123203872"><div class="keywords sr-only">Ensure the Default C Shell Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default C Shell Umask is Set Correctly</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140912 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To ensure the default umask for users of the C shell is set properly,
add or correct the <code>umask</code> setting in <code>/etc/csh.cshrc</code> to read as follows:
<pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">027</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-detail-idp123209664"><div class="keywords sr-only">Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in /etc/profile</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20120929 by swells</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To ensure the default umask controlled by <code>/etc/profile</code> is set properly,
add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows:
<pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">027</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" id="rule-detail-idp123215456"><div class="keywords sr-only">Ensure the Default Umask is Set Correctly in login.defsxccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140912 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To ensure the default umask controlled by <code>/etc/login.defs</code> is set properly,
add or correct the <code>UMASK</code> setting in <code>/etc/login.defs</code> to read as follows:
<pre>UMASK <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">027</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_tmout" id="rule-detail-idp123175536"><div class="keywords sr-only">Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-27557-8 </div><div class="panel-heading"><h3 class="panel-title">Set Interactive Session Timeout</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_tmout</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27557-8">CCE-27557-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">0361</a>, <a href="">SRG-OS-000163-GPOS-00072</a>, <a href="">040160</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Terminating an idle session within a short time period reduces 
the window of opportunity for unauthorized personnel to take control of a 
management session enabled on the console or console port that has been 
left unattended.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" id="rule-detail-idp123179984"><div class="keywords sr-only">Limit the Number of Concurrent Login Sessions Allowed Per Userxccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions lowCCE-27081-9 </div><div class="panel-heading"><h3 class="panel-title">Limit the Number of Concurrent Login Sessions Allowed Per User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27081-9">CCE-27081-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">54</a>, <a href="">SRG-OS-000027-GPOS-00008</a>, <a href="">040010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in <code>/etc/security/limits.conf</code>:
<pre>* hard maxlogins <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions">10</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_accounts_max_concurrent_login_sessions="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions">10</abbr>"
echo "*    hard    maxlogins       $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_home_dirs" id="rule-detail-idp123193136"><div class="keywords sr-only">Ensure that User Home Directories are not Group-Writable or World-Readablexccdf_org.ssgproject.content_rule_file_permissions_home_dirs lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure that User Home Directories are not Group-Writable or World-Readable</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_home_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(7)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>For each human user of the system, view the
permissions of the user's home directory:
<pre># ls -ld /home/<i>USER</i></pre>
Ensure that the directory is not group-writable and that it
is not world-readable. If necessary, repair the permissions:
<pre># chmod g-w /home/<i>USER</i>
# chmod o-rwx /home/<i>USER</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
User home directories contain many configuration files which
affect the behavior of a user's account. No user should ever have
write permission to another user's home directory. Group shared
directories can be configured in sub-directories or elsewhere in the
filesystem if they are needed. Typically, user home directories
should not be world-readable, as it would disclose file names
to other users. If a subset of users need read access
to one another's home directories, this can be provided using
groups or ACLs.
</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        This action may involve
modifying user home directories. Notify your user community, and
solicit input if appropriate, before making this type of
change.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg" id="rule-detail-idp123221248"><div class="keywords sr-only">Verify /boot/grub2/grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg mediumCCE-26860-7 </div><div class="panel-heading"><h3 class="panel-title">Verify /boot/grub2/grub.cfg User Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26860-7">CCE-26860-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(7)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-7.1</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.5.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The file <code>/boot/grub2/grub.cfg</code> should 
be owned by the <code>root</code> user to prevent destruction 
or modification of the file.

    To properly set the owner of <code>/boot/grub2/grub.cfg</code>, run the command:
    <pre xml:space="preserve">$ sudo chown root /boot/grub2/grub.cfg</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Only root should be able to modify important boot parameters.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg" id="rule-detail-idp123226192"><div class="keywords sr-only">Verify /boot/grub2/grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg mediumCCE-26812-8 </div><div class="panel-heading"><h3 class="panel-title">Verify /boot/grub2/grub.cfg Group Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26812-8">CCE-26812-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(7)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-7.1</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.5.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The file <code>/boot/grub2/grub.cfg</code> should 
be group-owned by the <code>root</code> group to prevent 
destruction or modification of the file.

    To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
    <pre xml:space="preserve">$ sudo chgrp root /boot/grub2/grub.cfg</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The <code>root</code> group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" id="rule-detail-idp123231152"><div class="keywords sr-only">Verify /boot/grub2/grub.cfg Permissionsxccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg mediumCCE-27054-6 </div><div class="panel-heading"><h3 class="panel-title">Verify /boot/grub2/grub.cfg Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27054-6">CCE-27054-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(7)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.5.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>File permissions for <code>/boot/grub2/grub.cfg</code> should be set to 600.

    To properly set the permissions of <code>/boot/grub2/grub.cfg</code>, run the command:
    <pre xml:space="preserve">$ sudo chmod 600 /boot/grub2/grub.cfg</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Proper permissions ensure that only the root user can modify important boot
parameters.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_bootloader_password" id="rule-detail-idp123236112"><div class="keywords sr-only">Set Boot Loader Passwordxccdf_org.ssgproject.content_rule_bootloader_password mediumCCE-27309-4 </div><div class="panel-heading"><h3 class="panel-title">Set Boot Loader Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bootloader_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27309-4">CCE-27309-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</a>, <a href="">SRG-OS-000080-GPOS-00048</a>, <a href="">010460</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.5.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
<br><br>
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under <code>/etc/grub.d</code>.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
<pre>$ grub2-mkpasswd-pbkdf2</pre>
When prompted, enter the password that was selected and insert the returned 
password hash into the appropriate grub2 configuration file(s) under
<code>/etc/grub.d</code> immediately after the superuser account.
(Use the output from <code>grub2-mkpasswd-pbkdf2</code> as the value of 
<b>password-hash</b>):
<pre>password_pbkdf2 <b>superusers-account</b> <b>password-hash</b></pre>
NOTE: It is recommended not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account. 
<br>
To meet FISMA Moderate, the bootloader superuser account and password MUST 
differ from the root account and password.
Once the superuser account and password have been added, update the 
<code>grub.cfg</code> file by running:
<pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
NOTE: Do NOT manually add the superuser account and password to the 
<code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. For more information on how to configure 
the grub2 superuser account and password, please refer to 
<ul><li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html</li>.
</ul>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_screen_installed" id="rule-detail-idp123254368"><div class="keywords sr-only">Install the screen Packagexccdf_org.ssgproject.content_rule_package_screen_installed mediumCCE-27351-6 </div><div class="panel-heading"><h3 class="panel-title">Install the screen Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_screen_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27351-6">CCE-27351-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</a>, <a href="">SRG-OS-000029-GPOS-00010</a>, <a href="">010072</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To enable console screen locking, install the <code>screen</code> package:
<pre>$ sudo yum install screen</pre>
Instruct users to begin new terminal sessions with the following command:
<pre>$ screen</pre>
The console can now be locked with the following key combination:
<pre>ctrl+a x</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but des not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock. 

The <code>screen</code> package allows for a session lock to be implemented and configured.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>yum -y install screen
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="rule-detail-idp123258016"><div class="keywords sr-only">Enable Smart Card Loginxccdf_org.ssgproject.content_rule_smartcard_auth mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable Smart Card Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_smartcard_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">765</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">766</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">767</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">768</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">771</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">772</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">884</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To enable smart card authentication, consult the documentation at:
<ul><li><b>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#authconfig-smartcard</b></li></ul>
For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
<ul><li><b>https://access.redhat.com/solutions/82273</b></li></ul>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-detail-idp123239744"><div class="keywords sr-only">Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-27287-2 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Single User Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_singleuser_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27287-2">CCE-27287-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
<br><br>
By default, single-user mode is protected by requiring a password and is set
in <code>/usr/lib/systemd/system/rescue.service</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="rule-detail-idp123243392"><div class="keywords sr-only">Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable debug-shell SystemD Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_debug-shell_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>SystemD's <code>debug-shell</code> service is intended to
diagnose SystemD related boot issues with various <code>systemctl</code>
commands. Once enabled and following a system reboot, the root shell
will be available on <code>tty9</code> which is access by pressing
<code>CTRL-ALT-F9</code>. The <code>debug-shell</code> service should only be used
for SystemD related issues and should otherwise be disabled.
<br><br>
By default, the <code>debug-shell</code> SystemD service is disabled.

    The <code>debug-shell</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable debug-shell.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="rule-detail-idp123247056"><div class="keywords sr-only">Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-27511-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Ctrl-Alt-Del Reboot Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27511-5">CCE-27511-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">020220</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
key sequence is pressed.
<br>
To configure the system to ignore the <code>Ctrl-Alt-Del</code> key sequence from the
command line instead of rebooting the system, do either of the following:
<pre>ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target</pre>
or
<pre>systemctl mask ctrl-alt-del.target</pre>
<br>
Do not simply delete the <code>/usr/lib/systemd/system/ctrl-alt-del.service</code> file,
as this file may be restored during future system updates.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code># The process to disable ctrl+alt+del has changed in RHEL7. 
# Reference: https://access.redhat.com/solutions/1123873
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_disable_interactive_boot" id="rule-detail-idp123250720"><div class="keywords sr-only">Disable Interactive Bootxccdf_org.ssgproject.content_rule_disable_interactive_boot mediumCCE-27335-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Interactive Boot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_interactive_boot</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27335-9">CCE-27335-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To disable the ability for users to perform interactive startups,
edit the file <code>/etc/sysconfig/init</code>.
Add or correct the line:
<pre>PROMPT=no</pre>
The <code>PROMPT</code> option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Using interactive boot,
the console user could disable auditing, firewalls, or other
services, weakening system security.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>grep -q ^PROMPT /etc/sysconfig/init && \
  sed -i "s/PROMPT.*/PROMPT=no/g" /etc/sysconfig/init
if ! [ $? -eq 0 ]; then
    echo "PROMPT=no" >> /etc/sysconfig/init
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-detail-idp123267376"><div class="keywords sr-only">Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-26970-4 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Login Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26970-4">CCE-26970-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</a>, <a href="">OS-SRG-000023-GPOS-00006</a>, <a href="">SRG-OS-000024-GPOS-00007</a>, <a href="">SRG-OS-000228-GPOS-00088</a>, <a href="">010031</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, the <code>banner-message-enable</code> setting must be 
set under an appropriate configuration file(s) in the <code>/etc/dconf/db/gdm.d</code> directory 
and locked in <code>/etc/dconf/db/gdm.d/locks</code> directory to prevent user modification. 
After the settings have been set, run <code>dconf update</code>.
To display a banner, this setting must be enabled, and the user must be prevented
from making changes. The banner text must also be set.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" id="rule-detail-idp123271040"><div class="keywords sr-only">Set the GNOME3 Login Warning Banner Textxccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text mediumCCE-26892-0 </div><div class="panel-heading"><h3 class="panel-title">Set the GNOME3 Login Warning Banner Text</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26892-0">CCE-26892-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">50</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1384</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1385</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1386</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1387</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1388</a>, <a href="">23</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To set the text shown by the GNOME3 Display Manager
in the login screen, the <code>banner-message-text</code> setting must be set under an
appropriate configuration file(s) in the <code>/etc/dconf/db/gdm.d</code> directory and locked 
in <code>/etc/dconf/db/gdm.d/locks</code> directory to prevent user modification. 
After the settings have been set, run <code>dconf update</code>.
When entering a warning banner that spans several lines, remember
to begin and end the string with <code>'</code> and use <code>\n</code> for new lines.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_banner_etc_issue" id="rule-detail-idp123262928"><div class="keywords sr-only">Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-27303-7 </div><div class="panel-heading"><h3 class="panel-title">Modify the System Login Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_banner_etc_issue</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27303-7">CCE-27303-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</a>, <a href="">SRG-OS-000023-GPOS-00006</a>, <a href="">SRG-OS-000024-GPOS-00007</a>, <a href="">010040</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure the system login banner edit <code>/etc/issue</code>. Replace 
the default text with a message compliant with the local site policy 
or a legal disclaimer.

The DoD required text is either:
<br><br>
<code>You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions: 
<br>-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations. 
<br>-At any time, the USG may inspect and seize data stored on this IS. 
<br>-Communications using, or data stored on, this IS are not private, are subject 
to routine monitoring, interception, and search, and may be disclosed or used 
for any USG-authorized purpose. 
<br>-This IS includes security measures (e.g., authentication and access controls) 
to protect USG interests -- not for your personal benefit or privacy. 
<br>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work
product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.</code>
<br><br>
OR:
<br><br>
<code>I've read & consent to terms in IS user agreem't.</code>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance. 

System use notifications are required only for access via login interfaces with human users and
are not required when such human interfaces do not exist.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
login_banner_text="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_login_banner_text">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</abbr>"
# There was a regular-expression matching various banners, needs to be expanded
expanded=$(echo "$login_banner_text" | sed 's/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g')
formatted=$(echo "$expanded" | fold -sw 80)

cat <<EOF >/etc/issue
$formatted
EOF

printf "\n" >> /etc/issue
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-detail-idp123282816"><div class="keywords sr-only">Disable Kernel Parameter for Sending ICMP Redirects by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.1.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.default.send_redirects = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
<br>
The ability to send ICMP redirects is only appropriate for systems acting as routers.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Set runtime for net.ipv4.conf.default.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0

#
# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0"
#       else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.send_redirects /etc/sysctl.conf ; then
        sed -i 's/^net.ipv4.conf.default.send_redirects.*/net.ipv4.conf.default.send_redirects = 0/g' /etc/sysctl.conf
else
        echo -e "\n# Set net.ipv4.conf.default.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
        echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-detail-idp123286512"><div class="keywords sr-only">Disable Kernel Parameter for Sending ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.1.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.all.send_redirects = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
<br>
The ability to send ICMP redirects is only appropriate for systems acting as routers.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Set runtime for net.ipv4.conf.all.send_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0

#
# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0"
#       else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.send_redirects /etc/sysctl.conf ; then
        sed -i 's/^net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g' /etc/sysctl.conf
else
        echo -e "\n# Set net.ipv4.conf.all.send_redirects to 0 per security requirements" >> /etc/sysctl.conf
        echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-detail-idp123290192"><div class="keywords sr-only">Disable Kernel Parameter for IP Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for IP Forwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.1.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.ip_forward=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.ip_forward = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-detail-idp123295152"><div class="keywords sr-only">Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-27434-0 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27434-0">CCE-27434-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040350</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.all.accept_source_route = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and 
the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-detail-idp123301040"><div class="keywords sr-only">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1503</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.all.accept_redirects = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table 
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
<br>
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless 
absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
sysctl_net_ipv4_conf_all_accept_redirects_value="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value">0</abbr>"
#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=$sysctl_net_ipv4_conf_all_accept_redirects_value

#
# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#       else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
        sed -i "s/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = $sysctl_net_ipv4_conf_all_accept_redirects_value/g" /etc/sysctl.conf
else
        echo -e "\n# Set net.ipv4.conf.all.accept_redirects to $sysctl_net_ipv4_conf_all_accept_redirects_value per security requirements" >> /etc/sysctl.conf
        echo "net.ipv4.conf.all.accept_redirects = $sysctl_net_ipv4_conf_all_accept_redirects_value" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-detail-idp123305616"><div class="keywords sr-only">Configure Kernel Parameter for Accepting Secure Redirects for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1503</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.all.secure_redirects = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-detail-idp123311488"><div class="keywords sr-only">Configure Kernel Parameter to Log Martian Packetsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Log Martian Packets</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.4</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.all.log_martians</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.all.log_martians = 1</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" id="rule-detail-idp123317328"><div class="keywords sr-only">Configure Kernel Parameter to Log Martian Packets By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Log Martian Packets By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.default.log_martians</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.default.log_martians=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.default.log_martians = 1</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-detail-idp123323200"><div class="keywords sr-only">Configure Kernel Parameter for Accepting Source-Routed Packets By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Source-Routed Packets By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040350</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.default.accept_source_route = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packates allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can 
be used to bypass network security measures.
<br>
Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required, such as when
IPv4 forwarding is enabled and the system is legitimately functioning as
a router.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-detail-idp123327792"><div class="keywords sr-only">Configure Kernel Parameter for Accepting ICMP Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting ICMP Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.default.accept_redirects = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct
route exists for a particular destination. These messages modify the host's route table
and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle
attack.
<br>
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless 
absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
sysctl_net_ipv4_conf_default_accept_redirects_value="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value">0</abbr>"
#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=$sysctl_net_ipv4_conf_default_accept_redirects_value

#
# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value
#       else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
        sed -i "s/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = $sysctl_net_ipv4_conf_default_accept_redirects_value/g" /etc/sysctl.conf
else
        echo -e "\n# Set net.ipv4.conf.default.accept_redirects to $sysctl_net_ipv4_conf_default_accept_redirects_value per security requirements" >> /etc/sysctl.conf
        echo "net.ipv4.conf.default.accept_redirects = $sysctl_net_ipv4_conf_default_accept_redirects_value" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-detail-idp123332368"><div class="keywords sr-only">Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Secure Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.default.secure_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.default.secure_redirects = 0</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" id="rule-detail-idp123338256"><div class="keywords sr-only">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requestsxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040380</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.5</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
<br>
Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value">1</abbr>"
#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value
#       else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
        sed -i "s/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = $sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value/g" /etc/sysctl.conf
else
        echo -e "\n# Set net.ipv4.icmp_echo_ignore_broadcasts to $sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value per security requirements" >> /etc/sysctl.conf
        echo "net.ipv4.icmp_echo_ignore_broadcasts = $sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-detail-idp123342864"><div class="keywords sr-only">Configure Kernel Parameter to Ignore Bogus ICMP Error Responsesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Ignore Bogus ICMP Error Responses</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.6</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" id="rule-detail-idp123348768"><div class="keywords sr-only">Configure Kernel Parameter to Use TCP Syncookiesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-27495-1 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Use TCP Syncookies</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27495-1">CCE-27495-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040430</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.8</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.tcp_syncookies = 1</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p> A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
sysctl_net_ipv4_tcp_syncookies_value="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value">1</abbr>"
#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=$sysctl_net_ipv4_tcp_syncookies_value

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value
#       else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
        sed -i "s/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = $sysctl_net_ipv4_tcp_syncookies_value/g" /etc/sysctl.conf
else
        echo -e "\n# Set net.ipv4.tcp_syncookies to $sysctl_net_ipv4_tcp_syncookies_value per security requirements" >> /etc/sysctl.conf
        echo "net.ipv4.tcp_syncookies = $sysctl_net_ipv4_tcp_syncookies_value" >> /etc/sysctl.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-detail-idp123353280"><div class="keywords sr-only">Configure Kernel Parameter to Use Reverse Path Filtering for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.all.rp_filter = 1</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-detail-idp123359104"><div class="keywords sr-only">Configure Kernel Parameter to Use Reverse Path Filtering by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter to Use Reverse Path Filtering by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.2.7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv4.conf.default.rp_filter = 1</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" id="rule-detail-idp123364960"><div class="keywords sr-only">Disable WiFi or Bluetooth in BIOSxccdf_org.ssgproject.content_rule_wireless_disable_in_bios lowCCE-27397-9 </div><div class="panel-heading"><h3 class="panel-title">Disable WiFi or Bluetooth in BIOS</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_wireless_disable_in_bios</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27397-9">CCE-27397-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Some systems that include built-in wireless support offer the
ability to disable the device through the BIOS. This is system-specific;
consult your hardware manual or explore the BIOS setup during
boot.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling wireless support in the BIOS prevents easy
activation of the wireless interface, generally requiring administrators
to reboot the system first.
</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-detail-idp123367920"><div class="keywords sr-only">Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces lowCCE-27358-1 </div><div class="panel-heading"><h3 class="panel-title">Deactivate Wireless Network Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_wireless_disable_interfaces</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27358-1">CCE-27358-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.3.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Deactivating wireless network interfaces should prevent
normal usage of the wireless capability.
<br><br>
First, identify the interfaces available with the command:
<pre>$ ifconfig -a</pre>
Additionally, the following command may be used to
determine whether wireless support is included for a
particular interface, though this may not always be a clear
indicator:
<pre>$ iwconfig</pre>
After identifying any wireless interfaces (which may have
names like <code>wlan0</code>, <code>ath0</code>, <code>wifi0</code>, <code>em1</code> or
<code>eth0</code>), deactivate the interface with the command:
<pre>$ sudo ifdown <i>interface</i></pre>
These changes will only last until the next reboot. To
disable the interface for future boots, remove the appropriate
interface file from <code>/etc/sysconfig/network-scripts</code>:
<pre>$ sudo rm /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Wireless networking allows attackers within physical proximity to
launch network-based attacks against systems, including those against local LAN
protocols which were not designed with security in mind.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" id="rule-detail-idp123371632"><div class="keywords sr-only">Disable Bluetooth Servicexccdf_org.ssgproject.content_rule_service_bluetooth_disabled mediumCCE-27328-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Bluetooth Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_bluetooth_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27328-4">CCE-27328-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    The <code>bluetooth</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable bluetooth.service</pre>
              <pre>$ sudo service bluetooth stop</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling the <code>bluetooth</code> service prevents the system from attempting
connections to Bluetooth devices, which entails some security risk.
Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" id="rule-detail-idp123375296"><div class="keywords sr-only">Disable Bluetooth Kernel Modulesxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-27327-6 </div><div class="panel-heading"><h3 class="panel-title">Disable Bluetooth Kernel Modules</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27327-6">CCE-27327-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20141031 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate <code>/etc/modprobe.d</code> configuration file
to prevent the loading of the Bluetooth module:
<pre>install bluetooth /bin/true</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>echo "install bluetooth /bin/true" > /etc/modprobe.d/bluetooth.conf
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable" id="rule-detail-idp123378960"><div class="keywords sr-only">Disable IPv6 Networking Support Automatic Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable IPv6 Networking Support Automatic Loading</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.4.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To disable support for (<code>ipv6</code>) add the following line to
<code>/etc/sysctl.d/ipv6.conf</code> (or another file in
<code>/etc/sysctl.d</code>):
<pre>net.ipv6.conf.all.disable_ipv6 = 1</pre>
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces" id="rule-detail-idp123383920"><div class="keywords sr-only">Disable Interface Usage of IPv6xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Interface Usage of IPv6</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>To disable interface usage of IPv6, add or correct the following lines in <code>/etc/sysconfig/network</code>:
<pre>NETWORKING_IPV6=no
IPV6INIT=no</pre>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" id="rule-detail-idp123386288"><div class="keywords sr-only">Disable Support for RPC IPv6xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Support for RPC IPv6</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>RPC services for NFSv4 try to load transport modules for
<code>udp6</code> and <code>tcp6</code> by default, even if IPv6 has been disabled in
<code>/etc/modprobe.d</code>. To prevent RPC services such as <code>rpc.mountd</code>
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in <code>/etc/netconfig</code>:
<pre>udp6       tpi_clts      v     inet6    udp     -       -
tcp6       tpi_cots_ord  v     inet6    tcp     -       -</pre>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-detail-idp123389936"><div class="keywords sr-only">Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040860</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
                
    To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv6.conf.all.accept_source_route = 0</pre>
              </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" id="rule-detail-idp123394512"><div class="keywords sr-only">Configure Accepting IPv6 Router Advertisementsxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting IPv6 Router Advertisements</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.4.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
                
    To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv6.conf.all.accept_ra = 0</pre>
              </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
An illicit router advertisement message could result in a man-in-the-middle attack.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" id="rule-detail-idp123400336"><div class="keywords sr-only">Configure Accepting IPv6 Router Advertisementsxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting IPv6 Router Advertisements</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.4.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
                
    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv6.conf.default.accept_ra = 0</pre>
              </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
An illicit router advertisement message could result in a man-in-the-middle attack.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-detail-idp123406192"><div class="keywords sr-only">Configure Accepting IPv6 Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting IPv6 Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.4.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
                
    To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv6.conf.all.accept_redirects = 0</pre>
              </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
An illicit ICMP redirect message could result in a man-in-the-middle attack.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-detail-idp123412064"><div class="keywords sr-only">Configure Accepting IPv6 Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting IPv6 Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.4.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
                
    To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter,
    run the following command:
    <pre xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</pre>
    If this is not the system's default value, add the following line to <code>/etc/sysctl.conf</code>:
    <pre xml:space="preserve">net.ipv6.conf.default.accept_redirects = 0</pre>
              </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
An illicit ICMP redirect message could result in a man-in-the-middle attack.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_network_ipv6_static_address" id="rule-detail-idp123417952"><div class="keywords sr-only">Manually Assign Global IPv6 Addressxccdf_org.ssgproject.content_rule_network_ipv6_static_address lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Manually Assign Global IPv6 Address</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_ipv6_static_address</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To manually assign an IP address for an interface, edit the
file <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>. Add or correct the
following line (substituting the correct IPv6 address):
<pre>IPV6ADDR=2001:0DB8::ABCD/64</pre>
Manually assigning an IP address is preferable to accepting one from routers or
from the network otherwise. The example address here is an IPv6 address
reserved for documentation purposes, as defined by RFC3849.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" id="rule-detail-idp123421616"><div class="keywords sr-only">Use Privacy Extensions for Addressxccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Use Privacy Extensions for Address</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
<code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>:
<pre>IPV6_PRIVACY=rfc3041</pre>
Automatically-generated IPv6 addresses are based on the underlying hardware
(e.g. Ethernet) address, and so it becomes possible to track a piece of
hardware over its lifetime using its traffic. If it is important for a system's
IP address to not trivially reveal its hardware address, this setting should be
applied.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway" id="rule-detail-idp123425280"><div class="keywords sr-only">Manually Assign IPv6 Router Addressxccdf_org.ssgproject.content_rule_network_ipv6_default_gateway lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Manually Assign IPv6 Router Address</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Edit the file
<code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>, and add or correct
the following line (substituting your gateway IP as appropriate):
<pre>IPV6_DEFAULTGW=2001:0DB8::0001</pre>
Router addresses should be manually set and not accepted via any
auto-configuration or router advertisement.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="rule-detail-idp123428944"><div class="keywords sr-only">Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-27361-5 </div><div class="panel-heading"><h3 class="panel-title">Verify firewalld Enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_firewalld_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27361-5">CCE-27361-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.7</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040810</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
    The <code>firewalld</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable firewalld.service</pre>
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Enable firewalld.service for all systemd targets
#
systemctl enable firewalld.service

#
# Start firewalld.service if not currently running
#
systemctl start firewalld.service
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" id="rule-detail-idp123432608"><div class="keywords sr-only">Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-27349-0 </div><div class="panel-heading"><h3 class="panel-title">Set Default firewalld Zone for Incoming Packets</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_firewalld_default_zone</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27349-0">CCE-27349-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">66</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1109</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1154</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1414</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the default zone to <code>drop</code> for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
<code>/etc/firewalld/firewalld.conf</code> to be:
<pre>DefaultZone=drop</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In <code>firewalld</code> the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to <code>drop</code> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>grep -q ^DefaultZone= /etc/firewalld/firewalld.conf && \
  sed -i "s/DefaultZone=.*/DefaultZone=drop/g" /etc/firewalld/firewalld.conf
if ! [ $? -eq 0 ]; then
    echo "DefaultZone=drop" >> /etc/firewalld/firewalld.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" id="rule-detail-idp123436272"><div class="keywords sr-only">Disable DCCP Supportxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled mediumCCE-26828-4 </div><div class="panel-heading"><h3 class="panel-title">Disable DCCP Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26828-4">CCE-26828-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.6.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.

To configure the system to prevent the <code>dccp</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install dccp /bin/true</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Disabling DCCP protects
the system against exploitation of any flaws in its implementation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" id="rule-detail-idp123441232"><div class="keywords sr-only">Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-27106-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SCTP Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27106-4">CCE-27106-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">4.6.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.

To configure the system to prevent the <code>sctp</code>
kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>:
<pre xml:space="preserve">install sctp /bin/true</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Disabling SCTP protects
the system against exploitation of any flaws in its implementation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_libreswan_installed" id="rule-detail-idp123446192"><div class="keywords sr-only">Install libreswan Packagexccdf_org.ssgproject.content_rule_package_libreswan_installed mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Install libreswan Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_libreswan_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1130</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1131</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-4.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Libreswan package provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. 
    The <code>libreswan</code> package can be installed with the following command:
    <pre>$ sudo yum install libreswan</pre> 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Providing the ability for remote users or systems
to initiate a secure VPN connection protects information when it is
transmitted over a wide area network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" id="rule-detail-idp123451152"><div class="keywords sr-only">Verify Any Configured IPSec Tunnel Connectionsxccdf_org.ssgproject.content_rule_libreswan_approved_tunnels mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Verify Any Configured IPSec Tunnel Connections</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">336</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040830</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Libreswan provides an implementation of IPsec
and IKE, which permits the creation of secure tunnels over
untrusted networks. As such, IPsec can be used to circumvent certain
network requirements such as filtering. Verify that if any IPsec connection
(<code>conn</code>) configured in <code>/etc/ipsec.conf</code> and <code>/etc/ipsec.d</code>
exists is an approved organizational connection.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
IP tunneling mechanisms can be used to bypass network filtering.
</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> 
                                        <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_network_disable_zeroconf" id="rule-detail-idp123275520"><div class="keywords sr-only">Disable Zeroconf Networkingxccdf_org.ssgproject.content_rule_network_disable_zeroconf lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Zeroconf Networking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_disable_zeroconf</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Zeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in <code>/etc/sysconfig/network</code>:
<pre>NOZEROCONF=yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Zeroconf addresses are in the network 169.254.0.0. The networking
scripts add entries to the system's routing table for these addresses. Zeroconf
address assignment commonly occurs when the system is configured to use DHCP
but fails to receive an address assignment from the DHCP server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-detail-idp123279168"><div class="keywords sr-only">Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure System is Not Acting as a Network Sniffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_sniffer_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
<pre>$ ip link | grep PROMISC</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If any results are returned, then a sniffing process (such as tcpdump
or Wireshark) is likely to be using the interface and this should be
investigated.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-detail-idp123465328"><div class="keywords sr-only">Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The owner of all log files written by
<code>rsyslog</code> should be root.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
If the owner is not <code>root</code>, run the following command to
correct this:
<pre>$ sudo chown root <i>LOGFILE</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-detail-idp123470256"><div class="keywords sr-only">Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The group-owner of all log files written by
<code>rsyslog</code> should be root.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's group owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
If the owner is not <code>root</code>, run the following command to
correct this:
<pre>$ sudo chgrp root <i>LOGFILE</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-detail-idp123475216"><div class="keywords sr-only">Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure System Log Files Have Correct Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.1.4</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The file permissions for all log files written by
<code>rsyslog</code> should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>. 
For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's permissions:
<pre>$ ls -l <i>LOGFILE</i></pre>
If the permissions are not 600 or more restrictive,
run the following command to correct this:
<pre>$ sudo chmod 0600 <i>LOGFILE</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Log files can contain valuable information regarding system
configuration. If the system log files are not protected unauthorized
users could change the logged data, eliminating their forensic value.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-detail-idp123480160"><div class="keywords sr-only">Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost lowCCE-27343-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logs Sent To Remote Host</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27343-3">CCE-27343-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1348</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">136</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1851</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.1.5</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To configure rsyslog to send logs to a remote log server,
open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting <code><i>loghost.example.com</i></code> appropriately.
The choice of protocol depends on the environment of the system; 
although TCP and RELP provide more reliable message delivery, 
they may not be supported in all environments.
<br>
To use UDP for log message delivery:
<pre>*.* @<i>loghost.example.com</i></pre>
<br>
To use TCP for log message delivery:
<pre>*.* @@<i>loghost.example.com</i></pre>
<br>
To use RELP for log message delivery:
<pre>*.* :omrelp:<i>loghost.example.com</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-detail-idp123483808"><div class="keywords sr-only">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_nolisten</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsyslog</code> daemon should not accept remote messages
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines are
<i>not</i> found in <code>/etc/rsyslog.conf</code>:
<pre>$ModLoad imtcp
$InputTCPServerRun <i>port</i>
$ModLoad imudp
$UDPServerRun <i>port</i>
$ModLoad imrelp
$InputRELPServerRun <i>port</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Any process which receives messages from the network incurs some risk
of receiving malicious messages. This risk can be eliminated for
rsyslog by configuring it not to listen on the network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp" id="rule-detail-idp123487440"><div class="keywords sr-only">Enable rsyslog to Accept Messages via TCP, if Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable rsyslog to Accept Messages via TCP, if Acting As Log Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.1.6</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsyslog</code> daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
<code>/etc/rsyslog.conf</code> to enable reception of messages over TCP:
<pre>$ModLoad imtcp
$InputTCPServerRun 514</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If the system needs to act as a log server, this ensures that it can receive
messages over a reliable TCP connection.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp" id="rule-detail-idp123489808"><div class="keywords sr-only">Enable rsyslog to Accept Messages via UDP, if Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable rsyslog to Accept Messages via UDP, if Acting As Log Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.1.6</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsyslog</code> daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
<code>/etc/rsyslog.conf</code> to enable reception of messages over UDP:
<pre>$ModLoad imudp
$UDPServerRun 514</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Many devices, such as switches, routers, and other Unix-like systems, may only support
the traditional syslog transmission over UDP. If the system must act as a log server,
this enables it to receive their messages as well.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" id="rule-detail-idp123492176"><div class="keywords sr-only">Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure Logrotate Runs Periodically</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_logrotate_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>logrotate</code> utility allows for the automatic rotation of 
log files.  The frequency of rotation is specified in <code>/etc/logrotate.conf</code>, 
which triggers a cron task.  To configure logrotate to run daily, add or correct 
the following line in <code>/etc/logrotate.conf</code>:
<pre># rotate log files <i>frequency</i>
daily</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_logwatch_configured_hostlimit" id="rule-detail-idp123497136"><div class="keywords sr-only">Configure Logwatch HostLimit Linexccdf_org.ssgproject.content_rule_logwatch_configured_hostlimit lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Logwatch HostLimit Line</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_logwatch_configured_hostlimit</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p> On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate 
on the logserver itself. The <code>HostLimit</code> setting tells Logwatch to report on all hosts, not just the one on which it 
is running. 
<pre> HostLimit = no </pre> </p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_logwatch_configured_splithosts" id="rule-detail-idp123500800"><div class="keywords sr-only">Configure Logwatch SplitHosts Linexccdf_org.ssgproject.content_rule_logwatch_configured_splithosts lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Logwatch SplitHosts Line</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_logwatch_configured_splithosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
If <code>SplitHosts</code> is set, Logwatch will separate entries by hostname. This makes the report longer but significantly 
more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that 
information is almost always necessary
<pre> SplitHosts = yes </pre> </p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-detail-idp123455456"><div class="keywords sr-only">Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog is Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1311</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1312</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.1.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Rsyslog is installed by default. 

    The <code>rsyslog</code> package can be installed with the following command:
    <pre>$ sudo yum install rsyslog</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The rsyslog package provides the rsyslog daemon, which provides
system logging services.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-detail-idp123460400"><div class="keywords sr-only">Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable rsyslog Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1311</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1312</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1557</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1851</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.1.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 7.

    The <code>rsyslog</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable rsyslog.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>rsyslog</code> service must be running in order to provide
logging services, which are essential to system administration.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_disable_logwatch_for_logserver" id="rule-detail-idp123504464"><div class="keywords sr-only"> Disable Logwatch on Clients if a Logserver Existsxccdf_org.ssgproject.content_rule_disable_logwatch_for_logserver lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title"> Disable Logwatch on Clients if a Logserver Exists</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_logwatch_for_logserver</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p> 
Does your site have a central logserver which has been configured to report on logs received from all systems? 
If so:
<pre> 
$ sudo rm /etc/cron.daily/0logwatch 
</pre>
If no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central 
logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier 
and less time-intensive for administrators.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" id="rule-detail-idp123514144"><div class="keywords sr-only">Configure auditd Number of Logs Retainedxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs mediumCCE-27348-2 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd Number of Logs Retained</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27348-2">CCE-27348-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Determine how many log files
<code>auditd</code> should retain when it rotates logs.
Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following
line, substituting <i>NUMLOGS</i> with the correct value of <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_num_logs">5</abbr>:
<pre>num_logs = <i>NUMLOGS</i></pre>
Set the value to 5 for general-purpose systems. 
Note that values less than 2 result in no log rotation.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" id="rule-detail-idp123518624"><div class="keywords sr-only">Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-27319-3 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd Max Log File Size</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27319-3">CCE-27319-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
<code>/etc/audit/auditd.conf</code>. Add or modify the following line, substituting
the correct value of <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_max_log_file">6</abbr> for <i>STOREMB</i>:
<pre>max_log_file = <i>STOREMB</i></pre>
Set the value to <code>6</code> (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" id="rule-detail-idp123523120"><div class="keywords sr-only">Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-27231-0 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd max_log_file_action Upon Reaching Maximum Log Size</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27231-0">CCE-27231-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by <code>auditd</code>, add or correct the line in <code>/etc/audit/auditd.conf</code>:
<pre>max_log_file_action = <i>ACTION</i></pre>
Possible values for <i>ACTION</i> are described in the <code>auditd.conf</code> man
page. These include:
<ul><li><code>ignore</code></li><li><code>syslog</code></li><li><code>suspend</code></li><li><code>rotate</code></li><li><code>keep_logs</code></li></ul>
Set the <code><i>ACTION</i></code> to <code>rotate</code> to ensure log rotation
occurs.  This is the default.  The setting is case-insensitive.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Automatically rotating logs (by setting this to <code>rotate</code>)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
<code>keep_logs</code> can be employed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" id="rule-detail-idp123527664"><div class="keywords sr-only">Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-27375-5 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd space_left Action on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27375-5">CCE-27375-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">140</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">143</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to take an action
when disk space <i>starts</i> to run low.
Edit the file <code>/etc/audit/auditd.conf</code>. Modify the following line,
substituting <i>ACTION</i> appropriately:
<pre>space_left_action = <i>ACTION</i></pre>
Possible values for <i>ACTION</i> are described in the <code>auditd.conf</code> man page.
These include:
<ul><li><code>ignore</code></li><li><code>syslog</code></li><li><code>email</code></li><li><code>exec</code></li><li><code>suspend</code></li><li><code>single</code></li><li><code>halt</code></li></ul>
Set this to <code>email</code> (instead of the default,
which is <code>suspend</code>) as it is more likely to get prompt attention. Acceptable values
also include <code>suspend</code>, <code>single</code>, and <code>halt</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_auditd_space_left_action="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_space_left_action">email</abbr>"
grep -q ^space_left_action /etc/audit/auditd.conf && \
  sed -i "s/space_left_action.*/space_left_action = $var_auditd_space_left_action/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
    echo "space_left_action = $var_auditd_space_left_action" >> /etc/audit/auditd.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" id="rule-detail-idp123532192"><div class="keywords sr-only">Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-27370-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd admin_space_left Action on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27370-6">CCE-27370-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">140</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1343</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to take an action
when disk space is running low but prior to running out of space completely. 
Edit the file <code>/etc/audit/auditd.conf</code>. Add or modify the following line,
substituting <i>ACTION</i> appropriately:
<pre>admin_space_left_action = <i>ACTION</i></pre>
Set this value to <code>single</code> to cause the system to switch to single user
mode for corrective action. Acceptable values also include <code>suspend</code> and
<code>halt</code>. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for <i>ACTION</i> are described in the
<code>auditd.conf</code> man page.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_auditd_admin_space_left_action="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action">single</abbr>"
grep -q ^admin_space_left_action /etc/audit/auditd.conf && \
  sed -i "s/admin_space_left_action.*/admin_space_left_action = $var_auditd_admin_space_left_action/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
    echo "admin_space_left_action = $var_auditd_admin_space_left_action" >> /etc/audit/auditd.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" id="rule-detail-idp123536736"><div class="keywords sr-only">Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-27394-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd mail_acct Action on Low Disk Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27394-6">CCE-27394-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">139</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">144</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.7.a</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in <code>/etc/audit/auditd.conf</code> to ensure that administrators are notified
via email for those situations:
<pre>action_mail_acct = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct">root</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" id="rule-detail-idp123541264"><div class="keywords sr-only">Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush lowCCE-27331-8 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd flush priority</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_flush</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27331-8">CCE-27331-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1576</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in <code>/etc/audit/auditd.conf</code> to ensure that audit event data is
fully synchronized with the log files on the disk:
<pre>flush = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_flush">data</abbr></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Audit data should be synchronously written to disk to ensure
log integrity. These parameters assure that all audit event data is fully
synchronized with the log files on the disk.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_auditd_flush="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_flush">data</abbr>"
AUDITCONFIG=/etc/audit/auditd.conf

# if flush is present, flush param edited to var_auditd_flush
# else flush param is defined by var_auditd_flush
#
# the freq param is only used value 'incremental' and will be
# commented out if flush != incremental
#
# if flush == incremental && freq param is not defined, it 
# will be defined as the package-default value of 20

grep -q ^flush $AUDITCONFIG && \
  sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG
if ! [ $? -eq 0 ]; then
  echo "flush = $var_auditd_flush" >> $AUDITCONFIG
fi

if ! [ "$var_auditd_flush" == "incremental" ]; then
  sed -i 's/^freq/##freq/g' $AUDITCONFIG
elif [ "$var_auditd_flush" == "incremental" ]; then
  grep -q freq $AUDITCONFIG && \
    sed -i 's/^#\+freq/freq/g' $AUDITCONFIG
  if ! [ $? -eq 0 ]; then
    echo "freq = 20" >> $AUDITCONFIG
  fi
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" id="rule-detail-idp123545744"><div class="keywords sr-only">Configure auditd to use audispd's syslog pluginxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated mediumCCE-27341-7 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd to use audispd's syslog plugin</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27341-7">CCE-27341-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">136</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the <code>auditd</code> service to use the
<code>syslog</code> plug-in of the <code>audispd</code> audit event multiplexor, set
the <code>active</code> line in <code>/etc/audisp/plugins.d/syslog.conf</code> to
<code>yes</code>. Restart the <code>auditd</code> service:
<pre>$ sudo service auditd restart</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The auditd service does not include the ability to send audit
records to a centralized server for management directly. It does, however,
include a plug-in for audit event multiplexor (audispd) to pass audit records
to the local syslog server</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
grep -q ^active /etc/audisp/plugins.d/syslog.conf && \
  sed -i "s/active.*/active = yes/g" /etc/audisp/plugins.d/syslog.conf
if ! [ $? -eq 0 ]; then
    echo "active = yes" >> /etc/audisp/plugins.d/syslog.conf
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" id="rule-detail-idp123549424"><div class="keywords sr-only">Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex lowCCE-27290-6 </div><div class="panel-heading"><h3 class="panel-title">Record attempts to alter time through adjtimex</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27290-6">CCE-27290-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.2.b</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1487</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">169</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules</pre>
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="rule-detail-idp123553088"><div class="keywords sr-only">Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday lowCCE-27216-1 </div><div class="panel-heading"><h3 class="panel-title">Record attempts to alter time through settimeofday</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27216-1">CCE-27216-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.2.b</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1487</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">169</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules</pre>
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_stime" id="rule-detail-idp123556752"><div class="keywords sr-only">Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime lowCCE-27299-7 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Time Through stime</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_stime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27299-7">CCE-27299-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.2.b</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1487</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">169</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> for both 32 bit and 64 bit systems:
<pre>-a always,exit -F arch=b32 -S stime -k audit_time_rules</pre>
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
<code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to
read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file for both 32 bit and 64 bit systems:
<pre>-a always,exit -F arch=b32 -S stime -k audit_time_rules</pre>
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="rule-detail-idp123560400"><div class="keywords sr-only">Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime lowCCE-27219-5 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Time Through clock_settime</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27219-5">CCE-27219-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.2.b</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1487</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">169</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*"
        GROUP="clock_settime"
        FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" id="rule-detail-idp123564064"><div class="keywords sr-only">Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime lowCCE-27310-2 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter the localtime File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27310-2">CCE-27310-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.2.b</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1487</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">169</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the default),
add the following line to a file with suffix <code>.rules</code> in the directory
<code>/etc/audit/rules.d</code>:
<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
fix_audit_watch_rule "augenrules" "/etc/localtime" "wa" "audit_time_rules"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" id="rule-detail-idp123587360"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod lowCCE-27339-1 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27339-1">CCE-27339-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured to
use the <code>augenrules</code> program to read audit rules during daemon startup
(the default), add the following line to a file with suffix <code>.rules</code> in
the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chmod  -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chmod  -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="chmod"
        FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" id="rule-detail-idp123591024"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown lowCCE-27364-9 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27364-9">CCE-27364-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured to
use the <code>augenrules</code> program to read audit rules during daemon startup
(the default), add the following line to a file with suffix <code>.rules</code> in
the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=${ARCH} -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="chown"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" id="rule-detail-idp123594688"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod lowCCE-27393-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27393-8">CCE-27393-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured to
use the <code>augenrules</code> program to read audit rules during daemon startup
(the default), add the following line to a file with suffix <code>.rules</code> in
the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="chmod"
        FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" id="rule-detail-idp123598352"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat lowCCE-27388-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchmodat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27388-8">CCE-27388-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured to
use the <code>augenrules</code> program to read audit rules during daemon startup
(the default), add the following line to a file with suffix <code>.rules</code> in
the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="chmod"
        FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" id="rule-detail-idp123602016"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown lowCCE-27356-5 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27356-5">CCE-27356-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=${ARCH} -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="chown"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" id="rule-detail-idp123605680"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat lowCCE-27387-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fchownat</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27387-0">CCE-27387-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=${ARCH} -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="chown"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" id="rule-detail-idp123609344"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr lowCCE-27353-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27353-2">CCE-27353-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="xattr"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" id="rule-detail-idp123613040"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr lowCCE-27389-6 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27389-6">CCE-27389-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="xattr"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" id="rule-detail-idp123616720"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown lowCCE-27083-5 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lchown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27083-5">CCE-27083-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=${ARCH} -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="chown"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" id="rule-detail-idp123620384"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr lowCCE-27410-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27410-0">CCE-27410-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="xattr"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" id="rule-detail-idp123624080"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr lowCCE-27280-7 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27280-7">CCE-27280-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="xattr"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" id="rule-detail-idp123627760"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr lowCCE-27367-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - removexattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27367-2">CCE-27367-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="xattr"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" id="rule-detail-idp123631440"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr lowCCE-27213-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - setxattr</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27213-8">CCE-27213-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="xattr"
        FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" id="rule-detail-idp123567728"><div class="keywords sr-only">Record Events that Modify User/Group Informationxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification lowCCE-27192-4 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27192-4">CCE-27192-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">18</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1403</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2130</a>, <a href="">030710</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.5</a>, <a href="">SRG–OS–000004–GPOS–00004</a>, <a href="">SRG–OS–000239–GPOS–00089</a>, <a href="">SRG–OS–000241–GPOS–00090</a>, <a href="">SRG–OS–000241–GPOS–00091</a>, <a href="">SRG–OS–000303–GPOS–00120</a>, <a href="">SRG–OS–000476–GPOS–00221</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>, in order to capture events that modify
account changes:
<pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre>
<br>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file, in order to capture events that modify
account changes:
<pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" id="rule-detail-idp123571392"><div class="keywords sr-only">Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification lowCCE-27076-9 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Network Environment</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27076-9">CCE-27076-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.6</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
        # Use escaped BRE regex to specify rule group
        GROUP="set\(host\|domain\)name"
        FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

# Then perform the remediations for the watch rules
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/issue" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/hosts" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"
fix_audit_watch_rule "augenrules" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" id="rule-detail-idp123575072"><div class="keywords sr-only">System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-27205-4 </div><div class="panel-heading"><h3 class="panel-title">System Audit Logs Must Have Mode 0640 or Less Permissive</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27205-4">CCE-27205-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
If <code>log_group</code> in <code>/etc/audit/auditd.conf</code> is set to a group other than the <code>root</code>
group account, change the mode of the audit log files with the following command:
<pre>$ sudo chmod 0640 <i>audit_file</i></pre>
<br>
Otherwise, change the mode of the audit log files with the following command:
<pre>$ sudo chmod 0600 <i>audit_file</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If users can write to audit logs, audit trails can be modified or destroyed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" id="rule-detail-idp123578736"><div class="keywords sr-only">System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">System Audit Logs Must Be Owned By Root</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">163</a>, <a href="">SRG-OS-000058-GPOS-00028</a>, <a href="">030120</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    To properly set the owner of <code>/var/log</code>, run the command:
    <pre xml:space="preserve">$ sudo chown root /var/log</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" id="rule-detail-idp123583696"><div class="keywords sr-only">Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification lowCCE-27168-4 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Mandatory Access Controls</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_mac_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27168-4">CCE-27168-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.5</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>:
<pre>-w /etc/selinux/ -p wa -k MAC-policy</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-w /etc/selinux/ -p wa -k MAC-policy</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy"
fix_audit_watch_rule "augenrules" "/etc/selinux/" "wa" "MAC-policy"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events" id="rule-detail-idp123635104"><div class="keywords sr-only">Record Attempts to Alter Logon and Logout Eventsxccdf_org.ssgproject.content_rule_audit_rules_login_events mediumCCE-27204-7 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27204-7">CCE-27204-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2884</a>, <a href="">SRG-OS-000392-GPOS-00172</a>, <a href="">SRG-OS-000470-GPOS-00214</a>, <a href="">SRG-OS-000473-GPOS-00218</a>, <a href="">030490</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.8</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects login information for all users
and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins"

fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins"

fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_session_events" id="rule-detail-idp123638752"><div class="keywords sr-only">Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events lowCCE-27301-1 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Process and Session Initiation Information</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_session_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27301-1">CCE-27301-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit system already collects process information for all
users and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
edits of files involved in storing such process information:
<pre>-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file in order to watch for attempted manual
edits of files involved in storing such process information:
<pre>-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session"
fix_audit_watch_rule "augenrules" "/var/run/utmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session"
fix_audit_watch_rule "augenrules" "/var/log/btmp" "wa" "session"
fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session"
fix_audit_watch_rule "augenrules" "/var/log/wtmp" "wa" "session"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" id="rule-detail-idp123642416"><div class="keywords sr-only">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification mediumCCE-27347-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27347-4">CCE-27347-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2884</a>, <a href="">SRG-OS-000064-GPOS-00033</a>, <a href="">SRG-OS-000458-GPOS-00203</a>, <a href="">SRG-OS-000461-GPOS-00205</a>, <a href="">SRG-OS-000392-GPOS-00172</a>, <a href="">030420</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.1</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access</pre>
If the system is 64 bit then also add the following lines:
<pre>
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access</pre>
If the system is 64 bit then also add the following lines:
<pre>
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do

        # First fix the -EACCES requirement
        PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k *"
        # Use escaped BRE regex to specify rule group
        GROUP="\(creat\|open\|truncate\)"
        FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

        # Then fix the -EPERM requirement
        PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k *"
        # No need to change content of $GROUP variable - it's the same as for -EACCES case above
        FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"

done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" id="rule-detail-idp123646112"><div class="keywords sr-only">Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-27437-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27437-3">CCE-27437-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2234</a>, <a href="">SRG-OS-000327-GPOS-00127</a>, <a href="">030310</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.10</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect the execution of
privileged commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
<i>PART</i>:
<pre>$ sudo find <i>PART</i> -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null</pre>
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code>
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix <code>.rules</code> in the directory
<code>/etc/audit/rules.d</code> for each setuid / setgid program on the system,
replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid /
setgid program in the list:
<pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add a line of the following
form to <code>/etc/audit/audit.rules</code> for each setuid / setgid program on the
system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that
setuid / setgid program in the list:
<pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations. 
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
<br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
perform_audit_rules_privileged_commands_remediation "auditctl" "1000"
perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_media_export" id="rule-detail-idp123649776"><div class="keywords sr-only">Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-27447-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Exporting to Media (successful)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_media_export</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27447-2">CCE-27447-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2884</a>, <a href="">SRG-OS-000042-GPOS-00020</a>, <a href="">SRG-OS-000392-GPOS-00172</a>, <a href="">030530</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.13</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect media exportation
events for all users and root. If the <code>auditd</code> daemon is configured to
use the <code>augenrules</code> program to read audit rules during daemon startup
(the default), add the following line to a file with suffix <code>.rules</code> in
the directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        GROUP="mount"
        FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" id="rule-detail-idp123653424"><div class="keywords sr-only">Ensure auditd Collects File Deletion Events by Userxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events mediumCCE-27206-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects File Deletion Events by User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27206-2">CCE-27206-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">030750</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.14</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect file deletion events
for all users and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for the syscall rule
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=4294967295 -k *"
        # Use escaped BRE regex to specify rule group
        GROUP="\(rmdir\|unlink\|rename\)"
        FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" id="rule-detail-idp123657088"><div class="keywords sr-only">Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions lowCCE-27461-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects System Administrator Actions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27461-3">CCE-27461-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5.b</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>At a minimum the audit system should collect administrator actions
for all users and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the default),
add the following line to a file with suffix <code>.rules</code> in the directory
<code>/etc/audit/rules.d</code>:
<pre>-w /etc/sudoers -p wa -k actions</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-w /etc/sudoers -p wa -k actions</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions"
fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" id="rule-detail-idp123660752"><div class="keywords sr-only">Ensure auditd Collects Information on Kernel Module Loading and Unloadingxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading mediumCCE-27129-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading and Unloading</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27129-6">CCE-27129-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">172</a>, <a href="">SRG-OS-000471-GPOS-00216</a>, <a href="">SRG-OS-000477</a>, <a href="">GPOS-00222</a>, <a href="">030670</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.17</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code> to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
<pre>-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=<i>ARCH</i> -S init_module -S delete_module -k modules</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit
rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
<pre>-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=<i>ARCH</i> -S init_module -S delete_module -k modules</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
#       it's not required on a 64-bit system to check also for the presence
#       of 32-bit's equivalent of the corresponding rule. Therefore for
#       each system it's enought to check presence of system's native rule form.
[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S .* -k *"
        # Use escaped BRE regex to specify rule group
        GROUP="\(init\|delete\)_module"
        FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -k modules"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

# Then perform the remediations for the watch rules
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules"
fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules"
fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules"
fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules"
fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules"
fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_immutable" id="rule-detail-idp123664416"><div class="keywords sr-only">Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable lowCCE-27097-5 </div><div class="panel-heading"><h3 class="panel-title">Make the auditd Configuration Immutable</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_immutable</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27097-5">CCE-27097-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.2</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.18</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to make the auditd configuration
immutable:
<pre>-e 2</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file in order to make the auditd configuration
immutable:
<pre>-e 2</pre>
With this setting, a reboot will be required to change any audit rules.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Traverse all of:
#
# /etc/audit/audit.rules,                       (for auditctl case)
# /etc/audit/rules.d/*.rules                    (for augenrules case)
#
# files to check if '-e .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-e 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'

# Append '-e 2' requirement at the end of both:
# * /etc/audit/audit.rules file                 (for auditctl case)
# * /etc/audit/rules.d/immutable.rules          (for augenrules case)

for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
        echo '' >> $AUDIT_FILE
        echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
        echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
        echo '-e 2' >> $AUDIT_FILE
done
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled" id="rule-detail-idp123506832"><div class="keywords sr-only">Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-27407-6 </div><div class="panel-heading"><h3 class="panel-title">Enable auditd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27407-6">CCE-27407-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">131</a>, <a href="">SRG-OS-000038-GPOS-00016</a>, <a href="">SRG-OS-000039-GPOS-00017</a>, <a href="">SRG-OS-000042-GPOS-00021</a>, <a href="">SRG-OS-000254-GPOS-00095</a>, <a href="">SRG-OS-000255-GPOS-00096</a>, <a href="">030010</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.

    The <code>auditd</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable auditd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
<br>
Ensuring the <code>auditd</code> service is active ensures audit records 
generated by the kernel are appropriately recorded.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_bootloader_audit_argument" id="rule-detail-idp123510480"><div class="keywords sr-only">Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_bootloader_audit_argument mediumCCE-27212-0 </div><div class="panel-heading"><h3 class="panel-title">Enable Auditing for Processes Which Start Prior to the Audit Daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_bootloader_audit_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27212-0">CCE-27212-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1464</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">130</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument <code>audit=1</code> to the default
GRUB 2 command line for the Linux operating system in
<code>/etc/default/grub</code>, in the manner below:
<pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1"</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although <code>auditd</code> takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        The GRUB 2 configuration file, <code>grub.cfg</code>,
is automatically updated each time a new kernel is installed. Note that any
changes to <code>/etc/default/grub</code> require rebuilding the <code>grub.cfg</code>
file. To update the GRUB 2 configuration file manually, use the
<pre>grub2-mkconfig -o</pre> command as follows:
<ul><li>On BIOS-based machines, issue the following command as <code>root</code>:
<pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>:
<pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul>
</div></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Correct the form of default kernel command line in /etc/default/grub
grep -q ^GRUB_CMDLINE_LINUX=\".*audit=0.*\" /etc/default/grub && \
  sed -i "s/audit=[^[:space:]\+]/audit=1/g" /etc/default/grub
if ! [ $? -eq 0 ]; then
  sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 audit=1\"/" /etc/default/grub
fi

# Correct the form of kernel command line for each installed kernel
# in the bootloader
/sbin/grubby --update-kernel=ALL --args="audit=1"
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled" id="rule-detail-idp123668048"><div class="keywords sr-only">Disable xinetd Servicexccdf_org.ssgproject.content_rule_service_xinetd_disabled mediumCCE-27443-1 </div><div class="panel-heading"><h3 class="panel-title">Disable xinetd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_xinetd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27443-1">CCE-27443-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">305</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>xinetd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable xinetd.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The xinetd service provides a dedicated listener service for some programs,
which is no longer necessary for commonly-used network services. Disabling
it ensures that these uncommon services are not running, and also prevents
attacks against xinetd itself.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-detail-idp123671696"><div class="keywords sr-only">Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-27354-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall xinetd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xinetd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27354-0">CCE-27354-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">305</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.11</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>xinetd</code> package can be uninstalled with the following command:
<pre>$ sudo yum erase xinetd</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Removing the <code>xinetd</code> package decreases the risk of the
xinetd service's accidental (or intentional) activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed" id="rule-detail-idp123675344"><div class="keywords sr-only">Install tcp_wrappers Packagexccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed mediumCCE-27361-5 </div><div class="panel-heading"><h3 class="panel-title">Install tcp_wrappers Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27361-5">CCE-27361-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
When network services are using the <code>xinetd</code> service, the
<code>tcp_wrappers</code> package should be installed.

    The <code>tcp_wrappers</code> package can be installed with the following command:
    <pre>$ sudo yum install tcp_wrappers</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled" id="rule-detail-idp123680304"><div class="keywords sr-only">Disable telnet Servicexccdf_org.ssgproject.content_rule_service_telnet_disabled highCCE-27401-9 </div><div class="panel-heading"><h3 class="panel-title">Disable telnet Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_telnet_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27401-9">CCE-27401-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140922 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>telnet</code> service configuration file <code>/etc/xinetd.d/telnet</code>
is not created automatically. If it was created manually, check the
<code>/etc/xinetd.d/telnet</code> file and ensure that <code>disable = no</code>
is changed to read <code>disable = yes</code> as follows below:
<pre>
# description: The telnet server serves telnet sessions; it uses \\
#       unencrypted username/password pairs for authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream

        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = yes
}
</pre>
If the <code>/etc/xinetd.d/telnet</code> file does not exist, make sure that
the activation of the <code>telnet</code> service on system boot is disabled
via the following command:

    The <code>rexec</code> socket can be disabled with the following command:
    <pre>$ sudo systemctl disable rexec.socket</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The telnet protocol uses unencrypted network communication, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. The telnet protocol is also
subject to man-in-the-middle attacks.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-detail-idp123683952"><div class="keywords sr-only">Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-27165-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall telnet-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27165-0">CCE-27165-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">381</a>, <a href="">SRG-OS-000095-GPOS-00049</a>, <a href="">021910</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>telnet-server</code> package can be uninstalled with
the following command:
<pre>$ sudo yum erase telnet-server</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
It is detrimental for operating systems to provide, or install by default, functionality exceeding
requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore
may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
<br>
The telnet service provides an unencrypted remote access service which does not provide for the 
confidentiality and integrity of user passwords or the remote session. If a privileged user were
to login using this service, the privileged user password could be compromised.
<br>
Removing the <code>telnet-server</code> package decreases the risk of the telnet service's accidental 
(or intentional) activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-detail-idp123687616"><div class="keywords sr-only">Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-27305-2 </div><div class="panel-heading"><h3 class="panel-title">Remove telnet Clients</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27305-2">CCE-27305-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The telnet client allows users to start connections to other 
systems via the telnet protocol.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>telnet</code> protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The <code>ssh</code> package provides an
encrypted session and stronger security and is included in Red Hat
Enterprise Linux.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-detail-idp123691264"><div class="keywords sr-only">Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-27342-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27342-5">CCE-27342-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">381</a>, <a href="">SRG-OS-000095-GPOS-00049</a>, <a href="">020000</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.3</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsh-server</code> package can be uninstalled with
the following command:
<pre>$ sudo yum erase rsh-server</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>rsh-server</code> service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The <code>rsh-server</code> package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled" id="rule-detail-idp123694928"><div class="keywords sr-only">Disable rexec Servicexccdf_org.ssgproject.content_rule_service_rexec_disabled highCCE-27408-4 </div><div class="panel-heading"><h3 class="panel-title">Disable rexec Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rexec_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27408-4">CCE-27408-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rexec</code> service, which is available with
the <code>rsh-server</code> package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set <code>disable</code> to <code>yes</code> in <code>/etc/xinetd.d/rexec</code>. 
If using systemd, 
    The <code>rexec</code> socket can be disabled with the following command:
    <pre>$ sudo systemctl disable rexec.socket</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The rexec service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rsh_disabled" id="rule-detail-idp123698576"><div class="keywords sr-only">Disable rsh Servicexccdf_org.ssgproject.content_rule_service_rsh_disabled highCCE-27337-5 </div><div class="panel-heading"><h3 class="panel-title">Disable rsh Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rsh_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27337-5">CCE-27337-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsh</code> service, which is available with
the <code>rsh-server</code> package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set <code>disable</code> to <code>yes</code> in <code>/etc/xinetd.d/rsh</code>.
If using systemd, 
    The <code>rsh</code> socket can be disabled with the following command:
    <pre>$ sudo systemctl disable rsh.socket</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The rsh service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-detail-idp123702208"><div class="keywords sr-only">Uninstall rsh Packagexccdf_org.ssgproject.content_rule_package_rsh_removed lowCCE-27274-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:11</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27274-0">CCE-27274-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.4</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140530 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rsh</code> package contains the client commands
for the rsh services</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the <code>rsh</code> package removes
the clients for <code>rsh</code>,<code>rcp</code>, and <code>rlogin</code>.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled" id="rule-detail-idp123705840"><div class="keywords sr-only">Disable rlogin Servicexccdf_org.ssgproject.content_rule_service_rlogin_disabled highCCE-27336-7 </div><div class="panel-heading"><h3 class="panel-title">Disable rlogin Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rlogin_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27336-7">CCE-27336-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rlogin</code> service, which is available with
the <code>rsh-server</code> package and runs as a service through xinetd or separately
as a systemd socket, should be disabled.
If using xinetd, set <code>disable</code> to <code>yes</code> in <code>/etc/xinetd.d/rlogin</code>.
If using systemd, 
    The <code>rlogin</code> socket can be disabled with the following command:
    <pre>$ sudo systemctl disable rlogin.socket</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The rlogin service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_rsh_trust_files" id="rule-detail-idp123709488"><div class="keywords sr-only">Remove Rsh Trust Filesxccdf_org.ssgproject.content_rule_no_rsh_trust_files highCCE-27406-8 </div><div class="panel-heading"><h3 class="panel-title">Remove Rsh Trust Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_rsh_trust_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27406-8">CCE-27406-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The files <code>/etc/hosts.equiv</code> and <code>~/.rhosts</code> (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
<pre>$ sudo rm /etc/hosts.equiv</pre>
<pre>$ rm ~/.rhosts</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Trust files are convenient, but when
used in conjunction with the R-services, they can allow
unauthenticated access to a system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="rule-detail-idp123713120"><div class="keywords sr-only">Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed highCCE-27399-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall ypserv Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypserv_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27399-5">CCE-27399-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">381</a>, <a href="">SRG-OS-000095-GPOS-00049</a>, <a href="">020010</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.6</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>ypserv</code> package can be uninstalled with
the following command:
<pre>$ sudo yum erase ypserv</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The NIS service provides an unencrypted authentication service which does not
provide for the confidentiality and integrity of user passwords or the remote session.

Removing the <code>ypserv</code> package decreases the risk of the accidental (or intentional) 
activation of NIS or NIS+ services.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_ypbind_disabled" id="rule-detail-idp123716768"><div class="keywords sr-only">Disable ypbind Servicexccdf_org.ssgproject.content_rule_service_ypbind_disabled mediumCCE-27385-4 </div><div class="panel-heading"><h3 class="panel-title">Disable ypbind Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_ypbind_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27385-4">CCE-27385-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">305</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>ypbind</code> service, which allows the system to act as a client in
a NIS or NIS+ domain, should be disabled.

    The <code>ypbind</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable ypbind.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Disabling the <code>ypbind</code> service ensures the system is not acting
as a client in a NIS or NIS+ domain.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-detail-idp123720416"><div class="keywords sr-only">Remove NIS Clientxccdf_org.ssgproject.content_rule_package_ypbind_removed lowCCE-27396-1 </div><div class="panel-heading"><h3 class="panel-title">Remove NIS Client</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypbind_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27396-1">CCE-27396-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.5</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client (<code>ypbind</code>) was used to bind a machine to an NIS server
and receive the distributed configuration files.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The NIS service is inherently an insecure system that has been vulnerable
to DOS attacks, buffer overflows and has poor authentication for querying NIS maps.
NIS generally has been replaced by such protocols as Lightweight Directory Access 
Protocol (LDAP). It is recommended that the service be removed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_tftp_disabled" id="rule-detail-idp123724064"><div class="keywords sr-only">Disable tftp Servicexccdf_org.ssgproject.content_rule_service_tftp_disabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable tftp Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_tftp_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>tftp</code> service should be disabled.

    The <code>tftp</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable tftp.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Disabling the <code>tftp</code> service ensures the system is not acting
as a TFTP server, which does not provide encryption or authentication.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp-server_removed" id="rule-detail-idp123728976"><div class="keywords sr-only">Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall tftp-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1814</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040500</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.8</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121026 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>tftp-server</code> package can be removed with the following command:
    <pre>$ sudo yum erase tftp-server</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Removing the <code>tftp-server</code> package decreases the risk of the
accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations),
its use must be documented with the Information Systems Securty Manager (ISSM), restricted to 
only authorized personnel, and have access control rules established.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_tftp_removed" id="rule-detail-idp123732640"><div class="keywords sr-only">Remove tftp Daemonxccdf_org.ssgproject.content_rule_package_tftp_removed highCCE- </div><div class="panel-heading"><h3 class="panel-title">Remove tftp Daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tftp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-">CCE-</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between machines.
TFTP does not support authentication and can be easily hacked. The package
<code>tftp</code> is a client program that allows for connections to a <code>tftp</code> server.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>It is recommended that TFTP be removed, unless there is a specific need
for TFTP (such as a boot server). In that case, use extreme caution when configuring
the services.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" id="rule-detail-idp123737552"><div class="keywords sr-only">Ensure tftp Daemon Uses Secure Modexccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure tftp Daemon Uses Secure Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If running the <code>tftp</code> service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
<code>/etc/xinetd.d/tftp</code> includes <code>-s</code> as a command line argument, as shown in
the following example (which is also the default):
<pre>server_args = -s /var/lib/tftpboot</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using the <code>-s</code> option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-detail-idp123742480"><div class="keywords sr-only">Uninstall talk-server Packagexccdf_org.ssgproject.content_rule_package_talk-server_removed mediumCCE-27210-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27210-4">CCE-27210-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.10</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140625 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>talk-server</code> package can be removed with the following command:
    <pre>$ sudo yum erase talk-server</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the <code>talk-server</code> package decreases the
risk of the accidental (or intentional) activation of talk services.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-detail-idp123746160"><div class="keywords sr-only">Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed lowCCE-27432-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27432-4">CCE-27432-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.9</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140625 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>talk</code> package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.

    The <code>talk</code> package can be removed with the following command:
    <pre>$ sudo yum erase talk</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the <code>talk</code> package decreases the
risk of the accidental (or intentional) activation of talk client program.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_abrtd_disabled" id="rule-detail-idp123749792"><div class="keywords sr-only">Disable Automatic Bug Reporting Tool (abrtd)xccdf_org.ssgproject.content_rule_service_abrtd_disabled lowCCE-26872-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Automatic Bug Reporting Tool (abrtd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_abrtd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-26872-2">CCE-26872-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20140921 by JL</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Automatic Bug Reporting Tool (<code>abrtd</code>) daemon collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrtd can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.

    The <code>abrtd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable abrtd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p> Mishandling crash data could expose sensitive information about
vulnerabilities in software executing on the local machine, as well as sensitive
information from within a process's address space or registers.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_acpid_disabled" id="rule-detail-idp123754720"><div class="keywords sr-only">Disable Advanced Configuration and Power Interface (acpid)xccdf_org.ssgproject.content_rule_service_acpid_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Advanced Configuration and Power Interface (acpid)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_acpid_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Advanced Configuration and Power Interface Daemon (<code>acpid</code>)
dispatches ACPI events (such as power/reset button depressed) to userspace
programs.

    The <code>acpid</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable acpid.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ACPI support is highly desirable for systems in some network roles,
such as laptops or desktops. For other systems, such as servers, it may permit
accidental or trivially achievable denial of service situations and disabling
it is appropriate.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_certmonger_disabled" id="rule-detail-idp123759648"><div class="keywords sr-only">Disable Certmonger Service (certmonger)xccdf_org.ssgproject.content_rule_service_certmonger_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Certmonger Service (certmonger)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_certmonger_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Certmonger is a D-Bus based service that attempts to simplify interaction
with certifying authorities on networks which use public-key infrastructure. It is often
combined with Red Hat's IPA (Identity Policy Audit) security information management
solution to aid in the management of certificates.

    The <code>certmonger</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable certmonger.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The services provided by certmonger may be essential for systems
fulfilling some roles a PKI infrastructure, but its functionality is not necessary
for many other use cases.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_cgconfig_disabled" id="rule-detail-idp123764608"><div class="keywords sr-only">Disable Control Group Config (cgconfig)xccdf_org.ssgproject.content_rule_service_cgconfig_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Control Group Config (cgconfig)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_cgconfig_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Control groups allow an administrator to allocate system resources (such as CPU,
memory, network bandwidth, etc) among a defined group (or groups) of processes executing on
a system. The <code>cgconfig</code> daemon starts at boot and establishes the predefined control groups.

    The <code>cgconfig</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable cgconfig.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unless control groups are used to manage system resources, running the cgconfig
service is not necessary.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_cgred_disabled" id="rule-detail-idp123769552"><div class="keywords sr-only">Disable Control Group Rules Engine (cgred)xccdf_org.ssgproject.content_rule_service_cgred_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Control Group Rules Engine (cgred)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_cgred_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>cgred</code> service moves tasks into control groups according to
parameters set in the <code>/etc/cgrules.conf</code> configuration file.

    The <code>cgred</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable cgred.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unless control groups are used to manage system resources, running the cgred service
service is not necessary.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_cpupower_disabled" id="rule-detail-idp123774480"><div class="keywords sr-only">Disable CPU Speed (cpupower)xccdf_org.ssgproject.content_rule_service_cpupower_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable CPU Speed (cpupower)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_cpupower_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>cpupower</code> service can adjust the clock speed of supported CPUs based upon
the current processing load thereby conserving power and reducing heat.

    The <code>cpupower</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable cpupower.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>cpupower</code> service is only necessary if adjusting the CPU clock speed
provides benefit. Traditionally this has included laptops (to enhance battery life),
but may also apply to server or desktop environments where conserving power is
highly desirable or necessary.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_irqbalance_enabled" id="rule-detail-idp123779424"><div class="keywords sr-only">Enable IRQ Balance (irqbalance)xccdf_org.ssgproject.content_rule_service_irqbalance_enabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable IRQ Balance (irqbalance)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_irqbalance_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>irqbalance</code> service optimizes the balance between
power savings and performance through distribution of hardware interrupts across
multiple processors.

    The <code>irqbalance</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable irqbalance.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In an environment with multiple processors (now common), the irqbalance service
provides potential speedups for handling interrupt requests.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_kdump_disabled" id="rule-detail-idp123784384"><div class="keywords sr-only">Disable KDump Kernel Crash Analyzer (kdump)xccdf_org.ssgproject.content_rule_service_kdump_disabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable KDump Kernel Crash Analyzer (kdump)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_kdump_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">021230</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>kdump</code> service provides a kernel crash dump analyzer. It uses the <code>kexec</code>
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.

    The <code>kdump</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable kdump.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Kernel core dumps may contain the full contents of system memory at the time of the crash.
Kernel core dumps consume a considerable amount of disk space and may result in denial of 
service by exhausting the available space on the target file system partition.
Unless the system is used for kernel development or testing, there
is little need to run the kdump service.</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>#
# Disable kdump.service for all systemd targets
#
systemctl disable kdump.service

#
# Stop kdump.service if currently running
#
systemctl stop kdump.service
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled" id="rule-detail-idp123788032"><div class="keywords sr-only">Disable Software RAID Monitor (mdmonitor)xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Software RAID Monitor (mdmonitor)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_mdmonitor_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>mdmonitor</code> service is used for monitoring a software RAID array; hardware
RAID setups do not use this service.

    The <code>mdmonitor</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable mdmonitor.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If software RAID monitoring is not required,
there is no need to run this service.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_messagebus_disabled" id="rule-detail-idp123792992"><div class="keywords sr-only">Disable D-Bus IPC Service (messagebus)xccdf_org.ssgproject.content_rule_service_messagebus_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable D-Bus IPC Service (messagebus)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_messagebus_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>D-Bus provides an IPC mechanism used by 
a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi.
Due to these dependencies, disabling D-Bus may not be practical for
many systems.

    The <code>messagebus</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable messagebus.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If no services which require D-Bus are needed, then it
can be disabled. As a broker for IPC between processes of different privilege levels,
it could be a target for attack. However, disabling D-Bus is likely to be
impractical for any system which needs to provide
a graphical login session.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_netconsole_disabled" id="rule-detail-idp123797952"><div class="keywords sr-only">Disable Network Console (netconsole)xccdf_org.ssgproject.content_rule_service_netconsole_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Network Console (netconsole)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_netconsole_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">381</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>netconsole</code> service is responsible for loading the
netconsole kernel module, which logs kernel printk messages over UDP to a
syslog server. This allows debugging of problems where disk logging fails and
serial consoles are impractical.

    The <code>netconsole</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable netconsole.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>netconsole</code> service is not necessary unless there is a need to debug
kernel panics, which is not common.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_ntpdate_disabled" id="rule-detail-idp123802912"><div class="keywords sr-only">Disable ntpdate Service (ntpdate)xccdf_org.ssgproject.content_rule_service_ntpdate_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable ntpdate Service (ntpdate)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_ntpdate_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>ntpdate</code> service sets the local hardware clock by polling NTP servers
when the system boots. It synchronizes to the NTP servers listed in
<code>/etc/ntp/step-tickers</code> or <code>/etc/ntp.conf</code>
and then sets the local hardware clock to the newly synchronized
system time.

    The <code>ntpdate</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable ntpdate.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>ntpdate</code> service may only be suitable for systems which
are rebooted frequently enough that clock drift does not cause problems between
reboots. In any event, the functionality of the ntpdate service is now
available in the ntpd program and should be considered deprecated.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled" id="rule-detail-idp123807840"><div class="keywords sr-only">Disable Odd Job Daemon (oddjobd)xccdf_org.ssgproject.content_rule_service_oddjobd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Odd Job Daemon (oddjobd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_oddjobd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">381</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>oddjobd</code> service exists to provide an interface and
access control mechanism through which
specified privileged tasks can run tasks for unprivileged client
applications. Communication with <code>oddjobd</code> through the system message bus.

    The <code>oddjobd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable oddjobd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>oddjobd</code> service may provide necessary functionality in
some environments, and can be disabled if it is not needed. Execution of
tasks by privileged programs, on behalf of unprivileged ones, has traditionally
been a source of privilege escalation security issues.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_portreserve_disabled" id="rule-detail-idp123812768"><div class="keywords sr-only">Disable Portreserve (portreserve)xccdf_org.ssgproject.content_rule_service_portreserve_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Portreserve (portreserve)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_portreserve_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>portreserve</code> service is a TCP port reservation utility that can
be used to prevent portmap from binding to well known TCP ports that are
required for other services.

    The <code>portreserve</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable portreserve.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>portreserve</code> service provides helpful functionality by
preventing conflicting usage of ports in the reserved port range, but it can be
disabled if not needed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_psacct_enabled" id="rule-detail-idp123817728"><div class="keywords sr-only">Enable Process Accounting (psacct)xccdf_org.ssgproject.content_rule_service_psacct_enabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable Process Accounting (psacct)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_psacct_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The process accounting service, <code>psacct</code>, works with programs
including <code>acct</code> and <code>ac</code> to allow system administrators to view
user activity, such as commands issued by users of the system.

    The <code>psacct</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable psacct.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>psacct</code> service can provide administrators a convenient
view into some user activities. However, it should be noted that the auditing
system and its audit records provide more authoritative and comprehensive
records.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_qpidd_disabled" id="rule-detail-idp123822656"><div class="keywords sr-only">Disable Apache Qpid (qpidd)xccdf_org.ssgproject.content_rule_service_qpidd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Apache Qpid (qpidd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_qpidd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>qpidd</code> service provides high speed, secure,
guaranteed delivery services.  It is an implementation of the Advanced Message
Queuing Protocol.  By default the qpidd service will bind to port 5672 and
listen for connection attempts.

    The <code>qpidd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable qpidd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The qpidd service is automatically installed when the "base" 
package selection is selected during installation.  The qpidd service listens 
for network connections, which increases the attack surface of the system.  If 
the system is not intended to receive AMQP traffic, then the <code>qpidd</code> 
service is not needed and should be disabled or removed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_quota_nld_disabled" id="rule-detail-idp123827584"><div class="keywords sr-only">Disable Quota Netlink (quota_nld)xccdf_org.ssgproject.content_rule_service_quota_nld_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Quota Netlink (quota_nld)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_quota_nld_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>quota_nld</code> service provides notifications to
users of disk space quota violations. It listens to the kernel via a netlink
socket for disk quota violations and notifies the appropriate user of the
violation using D-Bus or by sending a message to the terminal that the user has
last accessed.

    The <code>quota_nld</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable quota_nld.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If disk quotas are enforced on the local system, then the
<code>quota_nld</code> service likely provides useful functionality and should
remain enabled. However, if disk quotas are not used or user notification of
disk quota violation is not desired then there is no need to run this
service.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled" id="rule-detail-idp123832544"><div class="keywords sr-only">Disable Network Router Discovery Daemon (rdisc)xccdf_org.ssgproject.content_rule_service_rdisc_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Network Router Discovery Daemon (rdisc)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rdisc_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rdisc</code> service implements the client side of the ICMP
Internet Router Discovery Protocol (IRDP), which allows discovery of routers on
the local subnet. If a router is discovered then the local routing table is
updated with a corresponding default route. By default this daemon is disabled.

    The <code>rdisc</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable rdisc.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>General-purpose systems typically have their network and routing
information configured statically by a system administrator. Workstations or
some special-purpose systems often use DHCP (instead of IRDP) to retrieve
dynamic network configuration information.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rhnsd_disabled" id="rule-detail-idp123837472"><div class="keywords sr-only">Disable Red Hat Network Service (rhnsd)xccdf_org.ssgproject.content_rule_service_rhnsd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Red Hat Network Service (rhnsd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rhnsd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">1.2.4</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.

    The <code>rhnsd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable rhnsd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments.  However, if the system is being managed by RHN or
 RHN Satellite Server the <code>rhnsd</code> daemon can remain on. </p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled" id="rule-detail-idp123842400"><div class="keywords sr-only">Disable Red Hat Subscription Manager Daemon (rhsmcertd)xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Red Hat Subscription Manager Daemon (rhsmcertd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rhsmcertd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Red Hat Subscription Manager (rhsmcertd) periodically checks for
changes in the entitlement certificates for a registered system and updates it
accordingly.

    The <code>rhsmcertd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable rhsmcertd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>rhsmcertd</code> service can provide administrators with some
additional control over which of their systems are entitled to particular
subscriptions. However, for systems that are managed locally or which are not
expected to require remote changes to their subscription status, it is
unnecessary and can be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_saslauthd_disabled" id="rule-detail-idp123847360"><div class="keywords sr-only">Disable Cyrus SASL Authentication Daemon (saslauthd)xccdf_org.ssgproject.content_rule_service_saslauthd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Cyrus SASL Authentication Daemon (saslauthd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_saslauthd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>saslauthd</code> service handles plaintext authentication requests on
behalf of the SASL library. The service isolates all code requiring superuser
privileges for SASL authentication into a single process, and can also be used
to provide proxy authentication services to clients that do not understand SASL
based authentication.

    The <code>saslauthd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable saslauthd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>saslauthd</code> service provides essential functionality for
performing authentication in some directory environments, such as those which
use Kerberos and LDAP. For others, however, in which only local files may be
consulted, it is not necessary and should be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_smartd_disabled" id="rule-detail-idp123852320"><div class="keywords sr-only">Disable SMART Disk Monitoring Service (smartd)xccdf_org.ssgproject.content_rule_service_smartd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable SMART Disk Monitoring Service (smartd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_smartd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SMART (Self-Monitoring, Analysis, and Reporting Technology) is a
feature of hard drives that allows them to detect symptoms of disk failure and
relay an appropriate warning.

    The <code>smartd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable smartd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SMART can help protect against denial of
service due to failing hardware. Nevertheless, if it is not needed or the
system's drives are not SMART-capable (such as solid state drives), it can be
disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_sysstat_disabled" id="rule-detail-idp123857248"><div class="keywords sr-only">Disable System Statistics Reset Service (sysstat)xccdf_org.ssgproject.content_rule_service_sysstat_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable System Statistics Reset Service (sysstat)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_sysstat_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>sysstat</code> service resets various I/O and CPU
performance statistics to zero in order to begin counting from a fresh state
at boot time.

    The <code>sysstat</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable sysstat.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By default the <code>sysstat</code> service merely runs a program at
boot to reset the statistics, which can be retrieved using programs such as
<code>sar</code> and <code>sadc</code>. These may provide useful insight into system
operation, but unless used this service can be disabled.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_crond_enabled" id="rule-detail-idp123862176"><div class="keywords sr-only">Enable cron Servicexccdf_org.ssgproject.content_rule_service_crond_enabled mediumCCE-27323-5 </div><div class="panel-heading"><h3 class="panel-title">Enable cron Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_crond_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27323-5">CCE-27323-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.1.2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>crond</code> service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.

    The <code>crond</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable crond.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_disable_anacron" id="rule-detail-idp123865808"><div class="keywords sr-only">Disable anacron Servicexccdf_org.ssgproject.content_rule_disable_anacron lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable anacron Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_anacron</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>cronie-anacron</code> package, which provides <code>anacron</code>
functionality, is installed by default. 

    The <code>cronie-anacron</code> package can be removed with the following command:
    <pre>$ sudo yum erase cronie-anacron</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The <code>anacron</code> service provides <code>cron</code> functionality for systems
such as laptops and workstations that may be shut down during the normal times
that <code>cron</code> jobs are scheduled to run. On systems which do not require this
additional functionality, <code>anacron</code> could needlessly increase the possible
attack surface for an intruder.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_atd_disabled" id="rule-detail-idp123869440"><div class="keywords sr-only">Disable At Service (atd)xccdf_org.ssgproject.content_rule_service_atd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable At Service (atd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_atd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">381</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>at</code> and <code>batch</code> commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon <code>atd</code> keeps track of tasks scheduled via
<code>at</code> and <code>batch</code>, and executes them at the specified time.

    The <code>atd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable atd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The <code>atd</code> service could be used by an unsophisticated insider to carry
out activities outside of a normal login session, which could complicate
accountability. Furthermore, the need to schedule tasks with <code>at</code> or
<code>batch</code> is not common.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-detail-idp123898832"><div class="keywords sr-only">Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-27320-1 </div><div class="panel-heading"><h3 class="panel-title">Allow Only SSH Protocol 2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27320-1">CCE-27320-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">197</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.1</a>, <a href="">SRG-OS-000074-GPOS-00042</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040590</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Only SSH protocol version 2 connections should be
permitted. The default setting in
<code>/etc/ssh/sshd_config</code> is correct, and can be
verified by ensuring that the following
line appears:
<pre>Protocol 2</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSH protocol version 1 is an insecure implementation of the SSH protocol and
has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
immediate root access to the system.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>grep -qi ^Protocol /etc/ssh/sshd_config && \
  sed -i "s/Protocol.*/Protocol 2/gI" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Protocol 2" >> /etc/ssh/sshd_config
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_limit_user_access" id="rule-detail-idp123902496"><div class="keywords sr-only">Limit Users' SSH Accessxccdf_org.ssgproject.content_rule_sshd_limit_user_access lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Limit Users' SSH Access</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_limit_user_access</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the SSH configuration allows any user with an account
to access the system. In order to specify the users that are allowed to login
via SSH and deny all other users, add or correct the following line in the
<code>/etc/ssh/sshd_config</code> file:
<pre>DenyUsers USER1 USER2</pre>
Where <code>USER1</code> and <code>USER2</code> are valid user names.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Specifying which accounts are allowed SSH access into the system reduces the
possibility of unauthorized access to the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-detail-idp123904864"><div class="keywords sr-only">Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable GSSAPI Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1814</a>, <a href="">SRG-OS-000364-GPOS-00151</a>, <a href="">040660</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the <code>/etc/ssh/sshd_config</code> file:
<pre>GSSAPIAuthentication no</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-detail-idp123908512"><div class="keywords sr-only">Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Kerberos Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">318</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1812</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1813</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1814</a>, <a href="">SRG-OS-000364-GPOS-00151</a>, <a href="">040670</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the <code>/etc/ssh/sshd_config</code> file:
<pre>KerberosAuthentication no</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation. Vulnerabilities in the system's Kerberos
implementations may be subject to exploitation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-detail-idp123912160"><div class="keywords sr-only">Enable Use of StictModesxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable Use of StictModes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040680</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSHs StrictModes option checks file and ownership permissions in
the user's home directory <code>.ssh</code> folder before accepting login. If world-
writable permissions are found, logon is rejected. To enable StrictModes in SSH,
add or correct the following line in the <code>/etc/ssh/sshd_config</code> file:
<pre>StrictModes yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" id="rule-detail-idp123915808"><div class="keywords sr-only">Enable Use of Privilege Separationxccdf_org.ssgproject.content_rule_sshd_use_priv_separation mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Privilege Separation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_priv_separation</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040690</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>When enabled, SSH will create an unprivileged child process that
has the privilege of the authenticated user. To enable privilege separation in
SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file:
<pre>UsePrivilegeSeparation yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSH daemon privilege separation causes the SSH process to drop root privileges
when not needed which would decrease the impact of software vulnerabilities in
the unprivileged section.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_compression" id="rule-detail-idp123919456"><div class="keywords sr-only">Disable Compression Or Set Compression to delayedxccdf_org.ssgproject.content_rule_sshd_disable_compression mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Compression Or Set Compression to delayed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_compression</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040700</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise
, it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
<code>/etc/ssh/sshd_config</code> file:
<pre>Compression no</pre> or <pre>Compression delayed</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If compression is allowed in an SSH connection prior to authentication,
vulnerabilities in the compression software could result in compromise of the
system from an unauthenticated connection, potentially wih root privileges.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-detail-idp123923104"><div class="keywords sr-only">Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Print Last Log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_print_last_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040300</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>When enabled, SSH will display the date and time of the last
successful account logon. To enable LastLog in
SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file:
<pre>PrintLastLog yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-detail-idp123928016"><div class="keywords sr-only">Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout lowCCE-27433-2 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Idle Timeout Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27433-2">CCE-27433-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2361</a>, <a href="">SRG-OS-000163-GPOS-00072</a>, <a href="">SRG-OS-000279-GPOS-00109</a>, <a href="">040190</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.12</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
<br><br>
To set an idle timeout interval, edit the following line in <code>/etc/ssh/sshd_config</code> as
follows:
<pre>ClientAliveInterval <b>interval</b></pre>
The timeout <b>interval</b> is given in seconds. To have a timeout
of 10 minutes, set <b>interval</b> to 600.
<br><br>
If a shorter timeout has already been set for the login
shell, that value will preempt any SSH
setting made here. Keep in mind that some processes may stop SSH
from correctly detecting that the user is idle.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
sshd_idle_timeout_value="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"
replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value 'CCENUM' '%s %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-detail-idp123932480"><div class="keywords sr-only">Set SSH Client Alive Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive lowCCE-27082-7 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Client Alive Count</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_keepalive</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27082-7">CCE-27082-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2361</a>, <a href="">SRG-OS-000163-GPOS-00072</a>, <a href="">SRG-OS-000279-GPOS-00109</a>, <a href="">TBD</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.12</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the SSH idle timeout occurs precisely when the <code>ClientAliveCountMax</code> is set,
edit <code>/etc/ssh/sshd_config</code> as
follows:
<pre>ClientAliveCountMax 0</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This ensures a user login will be terminated as soon as the <code>ClientAliveCountMax</code>
is reached.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

replace_or_append '/etc/ssh/sshd_config' '^ClientAliveCountMax' '0' 'CCENUM' '%s %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-detail-idp123936112"><div class="keywords sr-only">Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-27377-1 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for .rhosts Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_rhosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27377-1">CCE-27377-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">http://iase.disa.mil/stigs/cci/Pages/index.aspx</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.6</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via <code>.rhosts</code> files.
<br><br>
To ensure this behavior is disabled, add or correct the
following line in <code>/etc/ssh/sshd_config</code>:
<pre>IgnoreRhosts yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-detail-idp123939744"><div class="keywords sr-only">Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-27413-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Host-Based Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_host_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27413-4">CCE-27413-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00229</a>, <a href="">010442</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH's cryptographic host-based authentication is
more secure than <code>.rhosts</code> authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
<br><br>
To disable host-based authentication, add or correct the
following line in <code>/etc/ssh/sshd_config</code>:
<pre>HostbasedAuthentication no</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_enable_x11_forwarding" id="rule-detail-idp123943376"><div class="keywords sr-only">Enable Encrypted X11 Fordwardingxccdf_org.ssgproject.content_rule_enable_x11_forwarding highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable Encrypted X11 Fordwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_x11_forwarding</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-2(1)(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040540</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
<code>X11Forwarding</code> option is enabled.
<br><br>
To enable X11 Forwarding, add or correct the
following line in <code>/etc/ssh/sshd_config</code>:
<pre>X11Forwarding yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Open X displays allow an attacker to capture keystrokes and to execute commands
remotely.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idp123947008"><div class="keywords sr-only">Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-27445-6 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27445-6">CCE-27445-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040310</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.8</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in <code>/etc/ssh/sshd_config</code>:
<pre>PermitRootLogin no</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
SSHD_CONFIG='/etc/ssh/sshd_config'

# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)

# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)

# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then

    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
    then
        # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
        echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG already
    else
        # Replace first uncommented case-insensitive occurrence
        # of PermitRootLogin directive
        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
    fi

# Case: Match block directive present in $SSHD_CONFIG
else

    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
    then
        # Prepend 'PermitRootLogin no' before first uncommented
        # case-insensitive occurrence of Match block directive
        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
    #       before first Match block directive
    elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
    then
        # Replace first uncommented case-insensitive occurrence
        # of PermitRootLogin directive
        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG

    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
    # after first Match block directive
    else
         # Prepend 'PermitRootLogin no' before first uncommented
         # case-insensitive occurrence of Match block directive
         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
    fi
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-detail-idp123950656"><div class="keywords sr-only">Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-27471-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Access via Empty Passwords</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27471-2">CCE-27471-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00229</a>, <a href="">010440</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in <code>/etc/ssh/sshd_config</code>:
<br>
<pre>PermitEmptyPasswords no</pre>
<br>
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password, even in the event of 
misconfiguration elsewhere.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

replace_or_append '/etc/ssh/sshd_config' '^PermitEmptyPasswords' 'no' 'CCENUM' '%s %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-detail-idp123954320"><div class="keywords sr-only">Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-27314-4 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27314-4">CCE-27314-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)(3)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">50</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1384</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1385</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1386</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1387</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1388</a>, <a href="">SRG-OS-000023-GPOS-00006</a>, <a href="">SRG-OS-000024-GPOS-00007</a>, <a href="">SRG-OS-000228-GPOS-00088</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.14</a>, <a href="">040170</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>:
<pre>Banner /etc/issue</pre>
Another section contains information on how to create an
appropriate system-wide warning banner.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers.  Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

replace_or_append '/etc/ssh/sshd_config' '^Banner' '/etc/issue' 'CCENUM' '%s %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" id="rule-detail-idp123957984"><div class="keywords sr-only">Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-27363-1 </div><div class="panel-heading"><h3 class="panel-title">Do Not Allow SSH Environment Options</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27363-1">CCE-27363-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00229</a>, <a href="">010441</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.10</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure users are not able to override environment
options to the SSH daemon, add or correct the following line
in <code>/etc/ssh/sshd_config</code>:
<pre>PermitUserEnvironment no</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSH environment options potentially allow users to bypass
access restriction in some configurations.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

replace_or_append '/etc/ssh/sshd_config' '^PermitUserEnvironment' 'no' 'CCENUM' '%s %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" id="rule-detail-idp123961648"><div class="keywords sr-only">Use Only Approved Ciphersxccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers mediumCCE-27295-5 </div><div class="panel-heading"><h3 class="panel-title">Use Only Approved Ciphers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27295-5">CCE-27295-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">803</a>, <a href="">SRG-OS-000033-GPOS-00014</a>, <a href="">SRG-OS-000120-GPOS-00061</a>, <a href="">SRG-OS-000125-GPOS-00065</a>, <a href="">SRG-OS-000250-GPOS-00093</a>, <a href="">SRG-OS-000393-GPOS-00173</a>, <a href="">040110</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">6.2.11</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in <code>/etc/ssh/sshd_config</code>
demonstrates use of FIPS-approved ciphers:
<pre>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</pre>
The man page <code>sshd_config(5)</code> contains a list of supported ciphers.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
<br>
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
cryptographic modules.
<br>
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meets industry and government requirements. For government systems, this allows
Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' 'CCENUM' '%s %s'
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" id="rule-detail-idp123965312"><div class="keywords sr-only">Use Only FIPS Approved MACsxccdf_org.ssgproject.content_rule_sshd_use_approved_macs mediumCCE-27455-5 </div><div class="panel-heading"><h3 class="panel-title">Use Only FIPS Approved MACs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_approved_macs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27455-5">CCE-27455-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">803</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1453</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2449</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2450</a>, <a href="">SRG-OS-000250-GPOS-00093</a>, <a href="">040620</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in <code>/etc/ssh/sshd_config</code>
demonstrates use of FIPS-approved MACs:
<pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
The man page <code>sshd_config(5)</code> contains a list of supported MACs.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
DoD Information Systems are required to use FIPS-approved cryptographic hash
functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>grep -qi ^MACs /etc/ssh/sshd_config && \
  sed -i "s/MACs.*/MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1/gI" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1" >> /etc/ssh/sshd_config
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_openssh-server_installed" id="rule-detail-idp123874352"><div class="keywords sr-only">Install the OpenSSH Server Packagexccdf_org.ssgproject.content_rule_package_openssh-server_installed mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Install the OpenSSH Server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_openssh-server_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2418</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2420</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2421</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2422</a>, <a href="">SRG-OS-000423-GPOS-00187</a>, <a href="">SRG-OS-000423-GPOS-00188</a>, <a href="">SRG-OS-000423-GPOS-00189</a>, <a href="">SRG-OS000423-GPOS-00190</a>, <a href="">040260</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>openssh-server</code> package should be installed.

    The <code>openssh-server</code> package can be installed with the following command:
    <pre>$ sudo yum install openssh-server</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_sshd_enabled" id="rule-detail-idp123879312"><div class="keywords sr-only">Enable the OpenSSH Servicexccdf_org.ssgproject.content_rule_service_sshd_enabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable the OpenSSH Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_sshd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2418</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2420</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2421</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">2422</a>, <a href="">SRG-OS-000423-GPOS-00187</a>, <a href="">SRG-OS-000423-GPOS-00188</a>, <a href="">SRG-OS-000423-GPOS-00189</a>, <a href="">SRG-OS000423-GPOS-00190</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SSH server service, sshd, is commonly needed.

    The <code>sshd</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable sshd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_sshd_disabled" id="rule-detail-idp123884224"><div class="keywords sr-only">Disable SSH Server If Possible (Unusual)xccdf_org.ssgproject.content_rule_service_sshd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Server If Possible (Unusual)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_sshd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SSH server service, sshd, is commonly needed.
However, if it can be disabled, do so.

    The <code>sshd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable sshd.service</pre>
This is unusual, as SSH is a common method for encrypted and authenticated
remote access.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" id="rule-detail-idp123887856"><div class="keywords sr-only">Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-27311-0 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Public *.pub Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27311-0">CCE-27311-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040640</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
          
    To properly set the permissions of <code>/etc/ssh/*.pub</code>, run the command:
    <pre xml:space="preserve">$ sudo chmod 0644 /etc/ssh/*.pub</pre>
        </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If a public host key file is modified by an unauthorized user, the SSH service
may be compromised.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-detail-idp123891520"><div class="keywords sr-only">Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-27485-2 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Private *_key Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27485-2">CCE-27485-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040650</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
          
    To properly set the permissions of <code>/etc/ssh/*_key</code>, run the command:
    <pre xml:space="preserve">$ sudo chmod 0600 /etc/ssh/*_key</pre>
        </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If an unauthorized user obtains the private SSH host key file, the host could be
impersonated.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_firewalld_sshd_disabled" id="rule-detail-idp123895184"><div class="keywords sr-only">Remove SSH Server firewalld Firewall exception (Unusual)xccdf_org.ssgproject.content_rule_firewalld_sshd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Remove SSH Server firewalld Firewall exception (Unusual)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_firewalld_sshd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, inbound connections to SSH's port are allowed. If
the SSH server is not being used, this exception should be removed from the
firewall configuration.
<br><br>

        To configure <code>firewalld</code> to not allow access, run the following command(s):
        <code></code>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If inbound SSH connections are not expected, disallowing access to the SSH port will
avoid possible exploitation of the port by an attacker.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_xwindows_runlevel_setting" id="rule-detail-idp123968960"><div class="keywords sr-only">Disable X Windows Startup By Setting Default Targetxccdf_org.ssgproject.content_rule_xwindows_runlevel_setting mediumCCE-27285-6 </div><div class="panel-heading"><h3 class="panel-title">Disable X Windows Startup By Setting Default Target</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_xwindows_runlevel_setting</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27285-6">CCE-27285-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040561</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Systems that do not require a graphical user interface should only boot by
default into <code>multi-user.target</code> mode. This prevents accidental booting of the system
into a <code>graphical.target</code> mode. Setting the system's default target to
<code>multi-user.target</code> will prevent automatic startup of the X server. To do so, run:
<pre>$ systemctl set-default multi-user.target</pre>
You should see the following output:
<pre>rm '/etc/systemd/system/default.target'
ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Services that are not required for system and application processes
must not be active to decrease the attack surface of the system. X windows has a
long history of security vulnerabilities and should not be used unless approved
and documented.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" id="rule-detail-idp123972624"><div class="keywords sr-only">Remove the X Windows Package Groupxccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed mediumCCE-27218-7 </div><div class="panel-heading"><h3 class="panel-title">Remove the X Windows Package Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27218-7">CCE-27218-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8).1(ii)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.2</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040560</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a <code>graphical.target</code>
mode. To do so, run the following command:
<pre>$ sudo yum groupremove "X Window System"</pre>
<pre>$ sudo yum remove xorg-x11-server-common</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
vulnerabilities and should not be installed unless approved and documented.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" id="rule-detail-idp123976304"><div class="keywords sr-only">Disable Avahi Server Softwarexccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Avahi Server Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>avahi-daemon</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable avahi-daemon.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Because the Avahi daemon service keeps an open network
port, it is subject to network attacks. Its functionality
is convenient but is only appropriate if the local network
can be trusted.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_avahi_ip_only" id="rule-detail-idp123981264"><div class="keywords sr-only">Serve Avahi Only via Required Protocolxccdf_org.ssgproject.content_rule_avahi_ip_only lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Serve Avahi Only via Required Protocol</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_avahi_ip_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
If you are using only IPv4, edit <code>/etc/avahi/avahi-daemon.conf</code> and ensure
the following line exists in the <code>[server]</code> section:
<pre>use-ipv6=no</pre>
Similarly, if you are using only IPv6, disable IPv4 sockets with the line:
<pre>use-ipv4=no</pre>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_avahi_check_ttl" id="rule-detail-idp123983616"><div class="keywords sr-only">Check Avahi Responses' TTL Fieldxccdf_org.ssgproject.content_rule_avahi_check_ttl lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Check Avahi Responses' TTL Field</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_avahi_check_ttl</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To make Avahi ignore packets unless the TTL field is 255, edit
<code>/etc/avahi/avahi-daemon.conf</code> and ensure the following line
appears in the <code>[server]</code> section:
<pre>check-response-ttl=yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This helps to ensure that only mDNS responses from the local network are
processed, because the TTL field in a packet is decremented from its initial
value of 255 whenever it is routed from one network to another. Although a
properly-configured router or firewall should not allow mDNS packets into
the local network at all, this option provides another check to ensure they
are not permitted.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_avahi_prevent_port_sharing" id="rule-detail-idp123985968"><div class="keywords sr-only">Prevent Other Programs from Using Avahi's Portxccdf_org.ssgproject.content_rule_avahi_prevent_port_sharing lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Prevent Other Programs from Using Avahi's Port</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_avahi_prevent_port_sharing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To prevent other mDNS stacks from running, edit <code>/etc/avahi/avahi-daemon.conf</code>
and ensure the following line appears in the <code>[server]</code> section:
<pre>disallow-other-stacks=yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This helps ensure that only Avahi is responsible for mDNS traffic coming from
that port on the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_avahi_disable_publishing" id="rule-detail-idp123988336"><div class="keywords sr-only">Disable Avahi Publishingxccdf_org.ssgproject.content_rule_avahi_disable_publishing lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Avahi Publishing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_avahi_disable_publishing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To prevent other mDNS stacks from running, edit <code>/etc/avahi/avahi-daemon.conf</code>
and ensure the following line appears in the <code>[server]</code> section:
<pre>disallow-other-stacks=yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This helps ensure that only Avahi is responsible for mDNS traffic coming from
that port on the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_avahi_restrict_published_information" id="rule-detail-idp123990704"><div class="keywords sr-only">Restrict Information Published by Avahixccdf_org.ssgproject.content_rule_avahi_restrict_published_information lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Restrict Information Published by Avahi</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_avahi_restrict_published_information</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
If it is necessary to publish some information to the network, it should not be joined
by any extraneous information, or by information supplied by a non-trusted source
on the system.
Prevent user applications from using Avahi to publish services by adding or
correcting the following line in the <code>[publish]</code> section:
<pre>disable-user-service-publishing=yes</pre>
Implement as many of the following lines as possible, to restrict the information
published by Avahi.
<pre>publish-addresses=no
publish-hinfo=no
publish-workstation=no
publish-domain=no</pre>
Inspect the files in the directory <code>/etc/avahi/services/</code>. Unless there
is an operational need to publish information about each of these services,
delete the corresponding file.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
These options prevent publishing attempts from succeeding,
and can be applied even if publishing is disabled entirely via
disable-publishing. Alternatively, these can be used to restrict
the types of published information in the event that some information
must be published.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_cups_disable_browsing" id="rule-detail-idp123997984"><div class="keywords sr-only">Disable Printer Browsing Entirely if Possiblexccdf_org.ssgproject.content_rule_cups_disable_browsing lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Printer Browsing Entirely if Possible</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_cups_disable_browsing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, CUPS listens on the network for printer list
broadcasts on UDP port 631. This functionality is called printer browsing.
To disable printer browsing entirely, edit the CUPS configuration
file, located at <code>/etc/cups/cupsd.conf</code>, to include the following:
<pre>Browsing Off</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The CUPS print service can be configured to broadcast a list of
available printers to the network. Other machines on the network, also running
the CUPS print service, can be configured to listen to these broadcasts and add
and configure these printers for immediate use. By disabling this browsing
capability, the machine will no longer generate or receive such broadcasts.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_cups_disable_printserver" id="rule-detail-idp124001616"><div class="keywords sr-only">Disable Print Server Capabilitiesxccdf_org.ssgproject.content_rule_cups_disable_printserver lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Print Server Capabilities</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_cups_disable_printserver</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To prevent remote users from potentially connecting to and using
locally configured printers, disable the CUPS print server sharing
capabilities. To do so, limit how the server will listen for print jobs by
removing the more generic port directive from /etc/cups/cupsd.conf:
<pre>Port 631</pre>
and replacing it with the <code>Listen</code> directive:
<pre>Listen localhost:631</pre>
This will prevent remote users from printing to locally configured printers
while still allowing local users on the machine to print normally.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By default, locally configured printers will not be shared over the
network, but if this functionality has somehow been enabled, these
recommendations will disable it again. Be sure to disable outgoing printer list
broadcasts, or remote users will still be able to see the locally configured
printers, even if they cannot actually print to them. To limit print serving to
a particular set of users, use the Policy directive.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_cups_disabled" id="rule-detail-idp123993072"><div class="keywords sr-only">Disable the CUPS Servicexccdf_org.ssgproject.content_rule_service_cups_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable the CUPS Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_cups_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.4</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
          
    The <code>cups</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable cups.service</pre>
        </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Turn off unneeded services to reduce attack surface.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_dhcpd_disabled" id="rule-detail-idp124005264"><div class="keywords sr-only">Disable DHCP Servicexccdf_org.ssgproject.content_rule_service_dhcpd_disabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable DHCP Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_dhcpd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>dhcpd</code> service should be disabled on
any system that does not need to act as a DHCP server.

    The <code>dhcpd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable dhcpd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Unmanaged or unintentionally activated DHCP servers may provide faulty information
to clients, interfering with the operation of a legitimate site
DHCP server if there is one.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_dhcp_removed" id="rule-detail-idp124010192"><div class="keywords sr-only">Uninstall DHCP Server Packagexccdf_org.ssgproject.content_rule_package_dhcp_removed mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall DHCP Server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dhcp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.5</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the system does not need to act as a DHCP server,
the dhcp package can be uninstalled.

    The <code>dhcp</code> package can be removed with the following command:
    <pre>$ sudo yum erase dhcp</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Removing the DHCP server ensures that it cannot be easily or
accidentally reactivated and disrupt network operation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns" id="rule-detail-idp124015104"><div class="keywords sr-only">Do Not Use Dynamic DNSxccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Do Not Use Dynamic DNS</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dhcp_server_disable_ddns</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To prevent the DHCP server from receiving DNS information from
clients, edit <code>/etc/dhcp/dhcpd.conf</code>, and add or correct the following global
option: <pre>ddns-update-style none;</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The Dynamic DNS protocol is used to remotely update the data served
by a DNS server. DHCP servers can use Dynamic DNS to publish information about
their clients. This setup carries security risks, and its use is not
recommended.  If Dynamic DNS must be used despite the risks it poses, it is
critical that Dynamic DNS transactions be protected using TSIG or some other
cryptographic authentication mechanism. See dhcpd.conf(5) for more information
about protecting the DHCP server from passing along malicious DNS data from its
clients.  </p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        The ddns-update-style option controls only whether
the DHCP server will attempt to act as a Dynamic DNS client. As long as the DNS
server itself is correctly configured to reject DDNS attempts, an incorrect
ddns-update-style setting on the client is harmless (but should be fixed as a
best practice).</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline" id="rule-detail-idp124017472"><div class="keywords sr-only">Deny Decline Messagesxccdf_org.ssgproject.content_rule_dhcp_server_deny_decline lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Deny Decline Messages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dhcp_server_deny_decline</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Edit <code>/etc/dhcp/dhcpd.conf</code> and add or correct the following
global option to prevent the DHCP server from responding the DHCPDECLINE
messages, if possible: <pre>deny declines;</pre> </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The DHCPDECLINE message can be sent by a DHCP client to indicate
that it does not consider the lease offered by the server to be valid. By
issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP
server's pool of IP addresses, causing the DHCP server to forget old address
allocations.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp" id="rule-detail-idp124019840"><div class="keywords sr-only">Deny BOOTP Queriesxccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Deny BOOTP Queries</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dhcp_server_deny_bootp</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless your network needs to support older BOOTP clients, disable
support for the bootp protocol by adding or correcting the global option:
<pre>deny bootp;</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The bootp option tells dhcpd to respond to BOOTP queries. If support
for this simpler protocol is not needed, it should be disabled to remove attack
vectors against the DHCP server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dhcp_server_configure_logging" id="rule-detail-idp124022208"><div class="keywords sr-only">Configure Loggingxccdf_org.ssgproject.content_rule_dhcp_server_configure_logging lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dhcp_server_configure_logging</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Ensure that the following line exists in
<code>/etc/rsyslog.conf</code>:
<pre>daemon.*           /var/log/daemon.log</pre>
Configure logwatch or other log monitoring tools to summarize error conditions
reported by the dhcpd process.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By default, dhcpd logs notices to the daemon facility. Sending all
daemon messages to a dedicated log file is part of the syslog configuration
outlined in the Logging and Auditing section</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg" id="rule-detail-idp124024576"><div class="keywords sr-only">Disable DHCP Clientxccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable DHCP Client</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
For each interface on the system (e.g. eth0), edit
<code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code> and make the
following changes:
<ul><li> Correct the BOOTPROTO line to read:
<pre>BOOTPROTO=none</pre>
</li><li> Add or correct the following lines, substituting the appropriate
values based on your site's addressing scheme:
<pre>NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1</pre>
</li></ul>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
DHCP relies on trusting the local network. If the local network is not trusted,
then it should not be used.  However, the automatic configuration provided by
DHCP is commonly used and the alternative, manual configuration, presents an
unacceptable burden in many circumstances.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" id="rule-detail-idp124029536"><div class="keywords sr-only">Enable the NTP Daemonxccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled mediumCCE-27444-9 </div><div class="panel-heading"><h3 class="panel-title">Enable the NTP Daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27444-9">CCE-27444-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
    The <code>chronyd</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable chronyd.service</pre>
Note: The <code>chronyd</code> daemon is enabled by default.
<br><br>

    The <code>ntpd</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable ntpd.service</pre>
Note: The <code>ntpd</code> daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the <code>ntpd</code> daemon might
be preferred to be used rather than the <code>chronyd</code> one. Refer to:
  https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for guidance which NTP daemon to choose depending on the environment used.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enabling some of <code>chronyd</code> or <code>ntpd</code> services ensures
that the NTP daemon will be running and that the system will synchronize its
time to any servers specified. This is important whether the system is
configured to be a client (and synchronize only its own clock) or it is also
acting as an NTP server to other systems.  Synchronizing time is essential for
authentication services such as Kerberos, but it is also important for
maintaining accurate logs and auditing possible security breaches.
<br><br>
The <code>chronyd</code> and <code>ntpd</code> NTP daemons offer all of the
functionality of <code>ntpdate</code>, which is now deprecated. Additional
information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>. /usr/share/scap-security-guide/remediation_functions

if ! `rpm -q --quiet chrony` && ! `rpm -q --quiet ntp-`; then
  package_command install chrony
  service_command enable chronyd
elif `rpm -q --quiet chrony`; then
  if ! [ `/usr/sbin/pidof ntpd` ] ; then
    service_command enable chronyd
  fi
else
  service_command enable ntpd
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" id="rule-detail-idp124033200"><div class="keywords sr-only">Specify a Remote NTP Serverxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server mediumCCE-27278-1 </div><div class="panel-heading"><h3 class="panel-title">Specify a Remote NTP Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27278-1">CCE-27278-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 7 Server system can be
configured to utilize the services of the <code>chronyd</code> NTP daemon (the
default), or services of the <code>ntpd</code> NTP daemon. Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
<br>
To specify a remote NTP server for time synchronization, perform the following:
<ul><li> if the system is configured to use the <code>chronyd</code> as the NTP daemon (the
default), edit the file <code>/etc/chrony.conf</code> as follows,</li><li> if the system is configured to use the <code>ntpd</code> as the NTP daemon,
edit the file <code>/etc/ntp.conf</code> as documented below.</li></ul>
Add or correct the following lines, substituting the IP or hostname of a remote
NTP server for <em>ntpserver</em>:
<pre>server <i>ntpserver</i></pre>
This instructs the NTP software to contact that remote server to obtain time
data.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Synchronizing with an NTP server makes it possible to collate system
logs from multiple sources or correlate computer events with real time events.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_multiple_time_servers="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
if ! `/usr/sbin/pidof ntpd`; then
  if ! `grep -q ^server /etc/chrony.conf` ; then
    if ! `grep -q '#[[:space:]]*server' /etc/chrony.conf` ; then
      for i in `echo "$var_multiple_time_servers" | tr ',' '\n'` ; do
        echo -ne "\nserver $i iburst" >> /etc/chrony.conf
      done
    else
      sed -i 's/#[ ]*server/server/g' /etc/chrony.conf
    fi
  fi
else
  if ! `grep -q ^server /etc/ntp.conf` ; then
    if ! `grep -q '#[[:space:]]*server' /etc/ntp.conf` ; then
      for i in `echo "$var_multiple_time_servers" | tr ',' '\n'` ; do
        echo -ne "\nserver $i iburst" >> /etc/ntp.conf
      done
    else
      sed -i 's/#[ ]*server/server/g' /etc/ntp.conf
    fi
  fi
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" id="rule-detail-idp124036864"><div class="keywords sr-only">Specify Additional Remote NTP Serversxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers lowCCE-27012-4 </div><div class="panel-heading"><h3 class="panel-title">Specify Additional Remote NTP Servers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27012-4">CCE-27012-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Depending on specific functional requirements of a concrete
production environment, the Red Hat Enterprise Linux 7 Server system can be
configured to utilize the services of the <code>chronyd</code> NTP daemon (the
default), or services of the <code>ntpd</code> NTP daemon. Refer to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for more detailed comparison of the features of both of the choices, and for
further guidance how to choose between the two NTP daemons.
<br>
Additional NTP servers can be specified for time synchronization. To do so,
perform the following:
<ul><li> if the system is configured to use the <code>chronyd</code> as the NTP daemon
(the default), edit the file <code>/etc/chrony.conf</code> as follows,</li><li> if the system is configured to use the <code>ntpd</code> as the NTP daemon,
edit the file <code>/etc/ntp.conf</code> as documented below.</li></ul>
Add additional lines of the following form, substituting the IP address or
hostname of a remote NTP server for <em>ntpserver</em>:
<pre>server <i>ntpserver</i></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.
</p></div></td></tr><tr><td colspan="2"><div class="remediation"><span class="label label-success">Remediation script:</span><pre><code>
. /usr/share/scap-security-guide/remediation_functions
var_multiple_time_servers="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
if ! `/usr/sbin/pidof ntpd`; then
  if [ `grep -c '^server' /etc/chrony.conf` -lt 2 ]; then 
    if ! `grep -q '#[[:space:]]*server' /etc/chrony.conf` ; then
      for i in `echo "$var_multiple_time_servers" | tr ',' '\n'` ; do
        echo -ne "\nserver $i iburst" >> /etc/chrony.conf
      done
    else
      sed -i 's/#[ ]*server/server/g' /etc/chrony.conf
    fi
  fi
else
  if [ `grep -c '^server' /etc/ntp.conf` -lt 2 ]; then
    if ! `grep -q '#[[:space:]]*server' /etc/ntp.conf` ; then
      for i in `echo "$var_multiple_time_servers" | tr ',' '\n'` ; do
        echo -ne "\nserver $i iburst" >> /etc/ntp.conf
      done
    else
      sed -i 's/#[ ]*server/server/g' /etc/ntp.conf
    fi
  fi
fi
</code></pre></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" id="rule-detail-idp124050400"><div class="keywords sr-only">Disable Postfix Network Listeningxccdf_org.ssgproject.content_rule_postfix_network_listening_disabled mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Postfix Network Listening</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.16</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Edit the file <code>/etc/postfix/main.cf</code> to ensure that only the following
<code>inet_interfaces</code> line appears:
<pre>inet_interfaces = localhost</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This ensures <code>postfix</code> accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_postfix_server_banner" id="rule-detail-idp124055360"><div class="keywords sr-only">Configure SMTP Greeting Bannerxccdf_org.ssgproject.content_rule_postfix_server_banner mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure SMTP Greeting Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_postfix_server_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-22</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-13</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Edit <code>/etc/postfix/main.cf</code>, and add or correct the
following line, substituting some other wording for the banner information if
you prefer:
<pre>smtpd_banner = $myhostname ESMTP</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The default greeting banner discloses that the listening mail
process is Postfix.  When remote mail senders connect to the MTA on port 25,
they are greeted by an initial banner as part of the SMTP dialogue. This banner
is necessary, but it frequently gives away too much information, including the
MTA software which is in use, and sometimes also its version number. Remote
mail senders do not need this information in order to send mail, so the banner
should be changed to reveal only the hostname (which is already known and may
be useful) and the word ESMTP, to indicate that the modern SMTP protocol
variant is supported.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_postfix_enabled" id="rule-detail-idp124040544"><div class="keywords sr-only">Enable Postfix Servicexccdf_org.ssgproject.content_rule_service_postfix_enabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable Postfix Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_postfix_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Postfix mail transfer agent is used for local mail delivery
within the system. The default configuration only listens for connections to
the default SMTP port (port 25) on the loopback interface (127.0.0.1).  It is
recommended to leave this service enabled for local mail delivery.

    The <code>postfix</code> service can be enabled with the following command:
    <pre>$ sudo systemctl enable postfix.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Local mail delivery is essential to some system maintenance and
notification tasks.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-detail-idp124045472"><div class="keywords sr-only">Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall Sendmail Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sendmail_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Sendmail is not the default mail transfer agent and is
not installed by default.

    The <code>sendmail</code> package can be removed with the following command:
    <pre>$ sudo yum erase sendmail</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux.  Postfix
should be used instead.  
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_ldap_client_start_tls" id="rule-detail-idp124058992"><div class="keywords sr-only">Configure LDAP Client to Use TLS For All Transactionsxccdf_org.ssgproject.content_rule_ldap_client_start_tls mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure LDAP Client to Use TLS For All Transactions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ldap_client_start_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">776</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1453</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure LDAP to enforce TLS use. First, edit the file 
<code>/etc/nslcd.conf</code>, and add or correct the following lines:
<pre>ssl start_tls</pre>
Then review the LDAP server and ensure TLS has been configured.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The ssl directive specifies whether to use ssl or not. If
not specified it will default to no. It should be set to start_tls rather
than doing LDAP over SSL.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath" id="rule-detail-idp124063904"><div class="keywords sr-only">Configure Certificate Directives for LDAP Use of TLSxccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Certificate Directives for LDAP Use of TLS</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">776</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">778</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1453</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Ensure a copy of a trusted CA certificate has been placed in
the file <code>/etc/pki/tls/CA/cacert.pem</code>. Configure LDAP to enforce TLS 
use and to trust certificates signed by that CA. First, edit the file 
<code>/etc/nslcd.conf</code>, and add or correct either of the following lines:
<pre>tls_cacertdir /etc/pki/tls/CA</pre>
or
<pre>tls_cacertfile /etc/pki/tls/CA/cacert.pem</pre>
Then review the LDAP server and ensure TLS has been configured.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The tls_cacertdir or tls_cacertfile directives are required when
tls_checkpeer is configured (which is the default for openldap versions 2.1 and
up). These directives define the path to the trust certificates signed by the
site CA.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_openldap-servers_removed" id="rule-detail-idp124068864"><div class="keywords sr-only">Uninstall openldap-servers Packagexccdf_org.ssgproject.content_rule_package_openldap-servers_removed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall openldap-servers Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_openldap-servers_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.7</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121024 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>openldap-servers</code> package should be removed if not in use.
Is this machine the OpenLDAP server? If not, remove the package.
<pre>$ sudo yum erase openldap-servers</pre>
The openldap-servers RPM is not installed by default on Red Hat Enterprise Linux 7
machines. It is needed only by the OpenLDAP server, not by the
clients which use LDAP for authentication. If the system is not
intended for use as an LDAP Server it should be removed.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unnecessary packages should not be installed to decrease the attack
surface of the system.  While this software is clearly essential on an LDAP
server, it is not necessary on typical desktop or workstation systems.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_nfslock_disabled" id="rule-detail-idp124073824"><div class="keywords sr-only">Disable Network File System Lock Service (nfslock)xccdf_org.ssgproject.content_rule_service_nfslock_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Network File System Lock Service (nfslock)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_nfslock_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.8</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local machine is not configured to mount NFS filesystems then
this service should be disabled.

    The <code>nfslock</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable nfslock.service</pre>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" id="rule-detail-idp124077472"><div class="keywords sr-only">Disable Secure RPC Client Service (rpcgssd)xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Secure RPC Client Service (rpcgssd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.8</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.

    The <code>rpcgssd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable rpcgssd.service</pre>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rpcbind_disabled" id="rule-detail-idp124081120"><div class="keywords sr-only">Disable rpcbind Servicexccdf_org.ssgproject.content_rule_service_rpcbind_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable rpcbind Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rpcbind_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.8</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The rpcbind utility maps RPC services to the ports on which they listen. RPC
processes notify rpcbind when they start, registering the ports they are
listening on and the RPC program numbers they expect to serve. The rpcbind
service redirects the client to the proper port number so it can communicate 
with the requested service. If the system does not require RPC (such as for NFS
servers) then this service should be disabled.

    The <code>rpcbind</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable rpcbind.service</pre>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" id="rule-detail-idp124084768"><div class="keywords sr-only">Disable RPC ID Mapping Service (rpcidmapd)xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable RPC ID Mapping Service (rpcidmapd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.8</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.

    The <code>rpcidmapd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable rpcidmapd.service</pre>
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port" id="rule-detail-idp124088432"><div class="keywords sr-only">Configure lockd to use static TCP portxccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure lockd to use static TCP port</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the <code>lockd</code> daemon to use a static TCP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <code>/etc/sysconfig/nfs</code>. Add or correct the following line:
<pre>LOCKD_TCPPORT=lockd-port</pre>
Where <code>lockd-port</code> is a port which is not used by any other service on
your network. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Restrict service to always use a given port, so that firewalling can be done
effectively.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port" id="rule-detail-idp124090800"><div class="keywords sr-only">Configure lockd to use static UDP portxccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure lockd to use static UDP port</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the <code>lockd</code> daemon to use a static UDP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <code>/etc/sysconfig/nfs</code>. Add or correct the following line:
<pre>LOCKD_UDPPORT=lockd-port</pre>
Where <code>lockd-port</code> is a port which is not used by any other service on
your network.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p> Restricting services to always use a given port enables firewalling
to be done more effectively.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port" id="rule-detail-idp124093168"><div class="keywords sr-only">Configure statd to use static portxccdf_org.ssgproject.content_rule_nfs_fixed_statd_port lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure statd to use static port</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the <code>statd</code> daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <code>/etc/sysconfig/nfs</code>. Add or correct the following line:
<pre>STATD_PORT=statd-port</pre>
Where <code>statd-port</code> is a port which is not used by any other service on your network. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p> Restricting services to always use a given port enables firewalling
to be done more effectively.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port" id="rule-detail-idp124095520"><div class="keywords sr-only">Configure mountd to use static portxccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure mountd to use static port</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the <code>mountd</code> daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <code>/etc/sysconfig/nfs</code>. Add or correct the following line:
<pre>MOUNTD_PORT=statd-port</pre>
Where <code>mountd-port</code> is a port which is not used by any other service on your network. 
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p> Restricting services to always use a given port enables firewalling
to be done more effectively.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_nfs_no_anonymous" id="rule-detail-idp124097872"><div class="keywords sr-only">Specify UID and GID for Anonymous NFS Connectionsxccdf_org.ssgproject.content_rule_nfs_no_anonymous lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Specify UID and GID for Anonymous NFS Connections</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_nfs_no_anonymous</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify the UID and GID for remote root users, edit the <code>/etc/exports</code> file and add the following for each export:
<pre>
anonuid=<code>value greater than UID_MAX from /etc/login.defs</code>
anongid=<code>value greater than GID_MAX from /etc/login.defs</code> 
</pre>
Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Specifying the anonymous UID and GID ensures that the remote root user is mapped 
to a local account which has no permissions on the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_nfs_disabled" id="rule-detail-idp124101504"><div class="keywords sr-only">Disable Network File System (nfs)xccdf_org.ssgproject.content_rule_service_nfs_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Network File System (nfs)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_nfs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local machine. If the local machine
is not designated as a NFS server then this service should be disabled.

    The <code>nfs</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable nfs.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unnecessary services should be disabled to decrease the attack surface of the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" id="rule-detail-idp124106416"><div class="keywords sr-only">Disable Secure RPC Server Service (rpcsvcgssd)xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Secure RPC Server Service (rpcsvcgssd)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.

    The <code>rpcsvcgssd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable rpcsvcgssd.service</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unnecessary services should be disabled to decrease the attack surface of the system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems" id="rule-detail-idp124111376"><div class="keywords sr-only">Mount Remote Filesystems with nodevxccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with nodev</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-2</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
        Add the <code>nodev</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        any NFS mounts.
        
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" id="rule-detail-idp124116336"><div class="keywords sr-only">Mount Remote Filesystems with nosuidxccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with nosuid</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121025 by DS</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
        Add the <code>nosuid</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        any NFS mounts.
        
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" id="rule-detail-idp124121312"><div class="keywords sr-only">Mount Remote Filesystems with Kerberos Securityxccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems mediumCCE-27458-9 </div><div class="panel-heading"><h3 class="panel-title">Mount Remote Filesystems with Kerberos Security</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27458-9">CCE-27458-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-14(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
              
        Add the <code>sec=krb5:krb5i:krb5p</code> option to the fourth column of
        <code>/etc/fstab</code> for the line which controls mounting of
        any NFS mounts.
        
            </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle
requests from the remote user. The userid and groupid could mistakenly or maliciously be set
incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client
systems to more securely authenticate the remote mount request.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports" id="rule-detail-idp124126288"><div class="keywords sr-only">Use Root-Squashing on All Exportsxccdf_org.ssgproject.content_rule_use_root_squashing_all_exports lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Use Root-Squashing on All Exports</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
<br><br>
Ensure that no line in <code>/etc/exports</code> contains the option <code>no_root_squash</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If the NFS server allows root access to local file systems from remote hosts, this
access could be used to compromise the system.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports" id="rule-detail-idp124128656"><div class="keywords sr-only">Restrict NFS Clients to Privileged Portsxccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Restrict NFS Clients to Privileged Ports</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
<br><br>
To ensure that the default has not been changed, ensure no line in
<code>/etc/exports</code> contains the option <code>insecure</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing client requests to be made from ports higher than 1024 could allow a unprivileged
user to initiate an NFS connection. If the unprivileged user account has been compromised, an
attacker could gain access to data on the NFS server.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_no_insecure_locks_exports" id="rule-detail-idp124131040"><div class="keywords sr-only">Ensure Insecure File Locking is Not Allowedxccdf_org.ssgproject.content_rule_no_insecure_locks_exports mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Ensure Insecure File Locking is Not Allowed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_insecure_locks_exports</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
<code>insecure_locks</code> option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the 
<code>insecure_locks</code> option from the file <code>/etc/exports</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing insecure file locking could allow for sensitive data to be
viewed or edited by an unauthorized user.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports" id="rule-detail-idp124135984"><div class="keywords sr-only">Use Kerberos Security on All Exportsxccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports mediumCCE-27464-7 </div><div class="panel-heading"><h3 class="panel-title">Use Kerberos Security on All Exports</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27464-7">CCE-27464-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-14(1)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040740</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Using Kerberos on all exported mounts prevents a malicious client or user from
impersonating a system user. To cryptography authenticate users to the NFS server,
add <code>sec=krb5:krb5i:krb5p</code> to each export in <code>/etc/exports</code>.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle
requests from the remote user. The userid and groupid could mistakenly or maliciously be set
incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client
systems to more securely authenticate the remote mount request.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_named_disabled" id="rule-detail-idp124140944"><div class="keywords sr-only">Disable DNS Serverxccdf_org.ssgproject.content_rule_service_named_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable DNS Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_named_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>named</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable named.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
All network services involve some risk of compromise due to
implementation flaws and should be disabled if possible.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_bind_removed" id="rule-detail-idp124145872"><div class="keywords sr-only">Uninstall bind Packagexccdf_org.ssgproject.content_rule_package_bind_removed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall bind Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_bind_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.9</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To remove the <code>bind</code> package, which contains the
<code>named</code> service, run the following command:
<pre>$ sudo yum erase bind</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If there is no need to make DNS server software available,
removing it provides a safeguard against its activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dns_server_disable_zone_transfers" id="rule-detail-idp124150800"><div class="keywords sr-only">Disable Zone Transfers from the Nameserverxccdf_org.ssgproject.content_rule_dns_server_disable_zone_transfers lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Zone Transfers from the Nameserver</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dns_server_disable_zone_transfers</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Is it necessary for a secondary nameserver to receive zone data
via zone transfer from the primary server?  If not, follow the instructions in
this section. If so, see the next section for instructions on protecting zone
transfers.
Add or correct the following directive within <code>/etc/named.conf</code>:
<pre>options {
  allow-transfer { none; };
  ...
}</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If both the primary and secondary nameserver are under your control,
or if you have only one nameserver, it may be possible to use an external
configuration management mechanism to distribute zone updates. In that case, it
is not necessary to allow zone transfers within BIND itself, so they should be
disabled to avoid the potential for abuse.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dns_server_authenticate_zone_transfers" id="rule-detail-idp124153168"><div class="keywords sr-only">Authenticate Zone Transfersxccdf_org.ssgproject.content_rule_dns_server_authenticate_zone_transfers lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Authenticate Zone Transfers</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dns_server_authenticate_zone_transfers</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If it is necessary for a secondary nameserver to receive zone data
via zone transfer from the primary server, follow the instructions here.  Use
dnssec-keygen to create a symmetric key file in the current directory:
<pre>$ cd /tmp
$ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com
Kdns.example.com .+aaa +iiiii</pre>
This output is the name of a file containing the new key. Read the file to find
the base64-encoded key string:
<pre>$ sudo cat Kdns.example.com .+NNN +MMMMM .key
dns.example.com IN KEY 512 3 157 base64-key-string</pre>
Add the directives to <code>/etc/named.conf</code> on the primary server:
<pre>key zone-transfer-key {
  algorithm hmac-md5;
  secret "base64-key-string ";
};
zone "example.com " IN {
  type master;
  allow-transfer { key zone-transfer-key; };
  ...
};</pre>
Add the directives below to <code>/etc/named.conf</code> on the secondary nameserver:
<pre>key zone-transfer-key {
  algorithm hmac-md5;
  secret "base64-key-string ";
};

server IP-OF-MASTER {
  keys { zone-transfer-key; };
};

zone "example.com " IN {
  type slave;
  masters { IP-OF-MASTER ; };
  ...
};</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The BIND transaction signature (TSIG) functionality allows primary
and secondary nameservers to use a shared secret to verify authorization to
perform zone transfers. This method is more secure than using IP-based limiting
to restrict nameserver access, since IP addresses can be easily spoofed.
However, if you cannot configure TSIG between your servers because, for
instance, the secondary nameserver is not under your control and its
administrators are unwilling to configure TSIG, you can configure an
allow-transfer directive with numerical IP addresses or ACLs as a last resort.
</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        The purpose of the dnssec-keygen command is to
create the shared secret string base64-key-string. Once this secret has been
obtained and inserted into named.conf on the primary and secondary servers, the
key files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM
.private are no longer needed, and may safely be deleted.</div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dns_server_disable_dynamic_updates" id="rule-detail-idp124155552"><div class="keywords sr-only">Disable Dynamic Updatesxccdf_org.ssgproject.content_rule_dns_server_disable_dynamic_updates lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Dynamic Updates</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dns_server_disable_dynamic_updates</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Is there a mission-critical reason to enable the risky dynamic
update functionality? If not, edit <code>/etc/named.conf</code>. For each zone
specification, correct the following directive if necessary:
<pre>zone "example.com " IN {
  allow-update { none; };
  ...
};</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Dynamic updates allow remote servers to add, delete, or modify any
entries in your zone file. Therefore, they should be considered highly risky,
and disabled unless there is a very good reason for their use. If dynamic
updates must be allowed, IP-based ACLs are insufficient protection, since they
are easily spoofed. Instead, use TSIG keys (see the previous section for an
example), and consider using the update-policy directive to restrict changes to
only the precise type of change needed.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled" id="rule-detail-idp124157920"><div class="keywords sr-only">Disable vsftpd Servicexccdf_org.ssgproject.content_rule_service_vsftpd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable vsftpd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_vsftpd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>vsftpd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable vsftpd.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Running FTP server software provides a network-based avenue
of attack, and should be disabled if not needed.
Furthermore, the FTP protocol is unencrypted and creates
a risk of compromising sensitive information.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed" id="rule-detail-idp124162848"><div class="keywords sr-only">Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall vsftpd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_vsftpd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040490</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.10</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>vsftpd</code> package can be removed with the following command:
    <pre>$ sudo yum erase vsftpd</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Removing the vsftpd package decreases the risk of its
accidental activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed" id="rule-detail-idp124167776"><div class="keywords sr-only">Install vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_installed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Install vsftpd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_vsftpd_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If this machine must operate as an FTP server, install the <code>vsftpd</code> package via the standard channels.
<pre>$ sudo yum install vsftpd</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security
and for consistency with future Red Hat releases, the use of vsftpd is recommended.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon" id="rule-detail-idp124179968"><div class="keywords sr-only">Restrict Access to Anonymous Users if Possiblexccdf_org.ssgproject.content_rule_ftp_restrict_to_anon lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Restrict Access to Anonymous Users if Possible</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than
using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
<pre>local_enable=NO</pre>
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure
these logins as much as possible.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. </p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions" id="rule-detail-idp124171424"><div class="keywords sr-only">Enable Logging of All FTP Transactionsxccdf_org.ssgproject.content_rule_ftp_log_transactions lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable Logging of All FTP Transactions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ftp_log_transactions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Add or correct the following configuration options within the <code>vsftpd</code>
configuration file, located at <code>/etc/vsftpd/vsftpd.conf</code>:
<pre>xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is <code>/var/log/vsftpd.log</code>.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> 
                                        If verbose logging to <code>vsftpd.log</code> is done, sparse logging of downloads to <code>/var/log/xferlog</code> will not also occur. However, the information about what files were downloaded is included in the information logged to <code>vsftpd.log</code></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ftp_present_banner" id="rule-detail-idp124176336"><div class="keywords sr-only">Create Warning Banners for All FTP Usersxccdf_org.ssgproject.content_rule_ftp_present_banner mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Create Warning Banners for All FTP Users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ftp_present_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Edit the vsftpd configuration file, which resides at <code>/etc/vsftpd/vsftpd.conf</code>
by default. Add or correct the following configuration options:
<pre>banner_file=/etc/issue</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This setting will cause the system greeting banner to be used for FTP connections as well.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads" id="rule-detail-idp124182320"><div class="keywords sr-only">Disable FTP Uploads if Possiblexccdf_org.ssgproject.content_rule_ftp_disable_uploads lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable FTP Uploads if Possible</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ftp_disable_uploads</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Is there a mission-critical reason for users to upload files via FTP? If not,
edit the vsftpd configuration file to add or correct the following configuration options:
<pre>write_enable=NO</pre>
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
as much as possible.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Anonymous FTP can be a convenient way to make files available for universal download. However, it is less
common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it
is necessary to ensure that files cannot be uploaded and downloaded from the same directory.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_ftp_home_partition" id="rule-detail-idp124184672"><div class="keywords sr-only">Place the FTP Home Directory on its Own Partitionxccdf_org.ssgproject.content_rule_ftp_home_partition lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Place the FTP Home Directory on its Own Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ftp_home_partition</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, the anonymous FTP root is the home directory of the FTP user account. The df command can
be used to verify that this directory is on its own partition.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent
these users from filling a disk used by other services.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_httpd_disabled" id="rule-detail-idp124187024"><div class="keywords sr-only">Disable httpd Servicexccdf_org.ssgproject.content_rule_service_httpd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable httpd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_httpd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>httpd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable httpd.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Running web server software provides a network-based avenue
of attack, and should be disabled if not needed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_httpd_removed" id="rule-detail-idp124191952"><div class="keywords sr-only">Uninstall httpd Packagexccdf_org.ssgproject.content_rule_package_httpd_removed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall httpd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_httpd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.11</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>httpd</code> package can be removed with the following command:
    <pre>$ sudo yum erase httpd</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If there is no need to make the web server software available,
removing it provides a safeguard against its activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod" id="rule-detail-idp124196864"><div class="keywords sr-only">Set httpd ServerTokens Directive to Prodxccdf_org.ssgproject.content_rule_httpd_servertokens_prod lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Set httpd ServerTokens Directive to Prod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_servertokens_prod</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>ServerTokens Prod</code> restricts information in page headers, returning only the word "Apache."
<br><br>
Add or correct the following directive in <code>/etc/httpd/conf/httpd.conf</code>:
<pre>ServerTokens Prod</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Information disclosed to clients about the configuration of the web server and system could be used
to plan an attack on the given system. This information disclosure should be restricted to a minimum.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_serversignature_off" id="rule-detail-idp124199232"><div class="keywords sr-only">Set httpd ServerSignature Directive to Offxccdf_org.ssgproject.content_rule_httpd_serversignature_off lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Set httpd ServerSignature Directive to Off</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_serversignature_off</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>ServerSignature Off</code> restricts <code>httpd</code> from displaying server version number
on error pages.
<br><br>
Add or correct the following directive in <code>/etc/httpd/conf/httpd.conf</code>:
<pre>ServerSignature Off</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Information disclosed to clients about the configuration of the web server and system could be used
to plan an attack on the given system. This information disclosure should be restricted to a minimum.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_digest_authentication" id="rule-detail-idp124201600"><div class="keywords sr-only">Disable HTTP Digest Authenticationxccdf_org.ssgproject.content_rule_httpd_digest_authentication lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable HTTP Digest Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_digest_authentication</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>auth_digest</code> module provides encrypted authentication sessions.
If this functionality is unnecessary, comment out the related module:
<pre>#LoadModule auth_digest_module modules/mod_auth_digest.so</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_mod_rewrite" id="rule-detail-idp124203968"><div class="keywords sr-only">Disable HTTP mod_rewritexccdf_org.ssgproject.content_rule_httpd_mod_rewrite lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable HTTP mod_rewrite</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_mod_rewrite</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>mod_rewrite</code> module is very powerful and can protect against
certain classes of web attacks. However, it is also very complex and has a
significant history of vulnerabilities itself. If its functionality is
unnecessary, comment out the related module:
<pre>#LoadModule rewrite_module modules/mod_rewrite.so</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_ldap_support" id="rule-detail-idp124206320"><div class="keywords sr-only">Disable LDAP Supportxccdf_org.ssgproject.content_rule_httpd_ldap_support lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable LDAP Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_ldap_support</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>ldap</code> module provides HTTP authentication via an LDAP directory.
If its functionality is unnecessary, comment out the related modules:
<pre>#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so</pre>
If LDAP is to be used, SSL encryption should be used as well.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_server_side_includes" id="rule-detail-idp124208672"><div class="keywords sr-only">Disable Server Side Includesxccdf_org.ssgproject.content_rule_httpd_server_side_includes lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Server Side Includes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_server_side_includes</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Server Side Includes provide a method of dynamically generating web pages through the
insertion of server-side code. However, the technology is also deprecated and
introduces significant security concerns.
If this functionality is unnecessary, comment out the related module:
<pre>#LoadModule include_module modules/mod_include.so</pre>
If there is a critical need for Server Side Includes, they should be enabled with the
option <code>IncludesNoExec</code> to prevent arbitrary code execution. Additionally, user
supplied data should be encoded to prevent cross-site scripting vulnerabilities.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_mime_magic" id="rule-detail-idp124211040"><div class="keywords sr-only">Disable MIME Magicxccdf_org.ssgproject.content_rule_httpd_mime_magic lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable MIME Magic</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_mime_magic</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>mime_magic</code> module provides a second layer of MIME support that in most configurations
is likely extraneous. If its functionality is unnecessary, comment out the related module:
<pre>#LoadModule mime_magic_module modules/mod_mime_magic.so</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_webdav" id="rule-detail-idp124213392"><div class="keywords sr-only">Disable WebDAV (Distributed Authoring and Versioning)xccdf_org.ssgproject.content_rule_httpd_webdav lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable WebDAV (Distributed Authoring and Versioning)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_webdav</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
WebDAV is an extension of the HTTP protocol that provides distributed and
collaborative access to web content. If its functionality is unnecessary,
comment out the related modules:
<pre>#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so</pre>
If there is a critical need for WebDAV, extra care should be taken in its configuration.
Since DAV access allows remote clients to manipulate server files, any location on the
server that is DAV enabled should be protected by access controls.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server, reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_server_activity_status" id="rule-detail-idp124215744"><div class="keywords sr-only">Disable Server Activity Statusxccdf_org.ssgproject.content_rule_httpd_server_activity_status lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Server Activity Status</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_server_activity_status</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>status</code> module provides real-time access to statistics on the internal operation of
the web server. This may constitute an unnecessary information leak and should be disabled
unless necessary. To do so, comment out the related module:
<pre>#LoadModule status_module modules/mod_status.so</pre>
If there is a critical need for this module, ensure that access to the status
page is properly restricted to a limited set of hosts in the status handler
configuration.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_server_configuration_display" id="rule-detail-idp124218112"><div class="keywords sr-only">Disable Web Server Configuration Displayxccdf_org.ssgproject.content_rule_httpd_server_configuration_display lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Web Server Configuration Display</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_server_configuration_display</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>info</code> module creates a web page illustrating the configuration of the web server. This
can create an unnecessary security leak and should be disabled.
If its functionality is unnecessary, comment out the module:
<pre>#LoadModule info_module modules/mod_info.so</pre>
If there is a critical need for this module, use the <code>Location</code> directive to provide
an access control list to restrict access to the information.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_url_correction" id="rule-detail-idp124220480"><div class="keywords sr-only">Disable URL Correction on Misspelled Entriesxccdf_org.ssgproject.content_rule_httpd_url_correction lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable URL Correction on Misspelled Entries</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_url_correction</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>speling</code> module attempts to find a document match by allowing one misspelling in an
otherwise failed request. If this functionality is unnecessary, comment out the module:
<pre>#LoadModule speling_module modules/mod_speling.so</pre>
This functionality weakens server security by making site enumeration easier.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_proxy_support" id="rule-detail-idp124222832"><div class="keywords sr-only">Disable Proxy Supportxccdf_org.ssgproject.content_rule_httpd_proxy_support lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Proxy Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_proxy_support</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>proxy</code> module provides proxying support, allowing <code>httpd</code> to forward requests and
serve as a gateway for other servers. If its functionality is unnecessary, comment out the module:
<pre>#LoadModule proxy_module modules/mod_proxy.so</pre>

If proxy support is needed, load <code>mod_proxy</code> and the appropriate proxy protocol handler
module (one of <code>mod_proxy_http</code>, <code>mod_proxy_ftp</code>, or <code>mod_proxy_connect</code>). Additionally,
make certain that a server is secure before enabling proxying, as open proxy servers
are a security risk. <code>mod_proxy_balancer</code> enables load balancing, but requires that
<code>mod status</code> be enabled.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_cache_support" id="rule-detail-idp124225184"><div class="keywords sr-only">Disable Cache Supportxccdf_org.ssgproject.content_rule_httpd_cache_support lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Cache Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_cache_support</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>cache</code> module allows <code>httpd</code> to cache data, optimizing access to
frequently accessed content. However, it introduces potential security flaws
such as the possibility of circumventing <code>Allow</code> and
<code>Deny</code> directives.
<br><br> If this functionality is
unnecessary, comment out the module:
<pre>#LoadModule cache_module modules/mod_cache.so</pre>
If caching is required, it should not be enabled for any limited-access content.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_cgi_support" id="rule-detail-idp124227536"><div class="keywords sr-only">Disable CGI Supportxccdf_org.ssgproject.content_rule_httpd_cgi_support lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable CGI Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_cgi_support</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>cgi</code> module allows HTML to interact with the CGI web programming language.
<br><br>
If this functionality is unnecessary, comment out the module:
<pre>#LoadModule cgi_module modules/mod_cgi.so</pre>

If the web server requires the use of CGI, enable <code>mod_cgi</code>.

</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_restrict_root_directory" id="rule-detail-idp124229888"><div class="keywords sr-only">Restrict Root Directoryxccdf_org.ssgproject.content_rule_httpd_restrict_root_directory lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Restrict Root Directory</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_restrict_root_directory</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The <code>httpd</code> root directory should always have the most restrictive configuration enabled.
<pre><Directory / >
   Options None
   AllowOverride None
   Order allow,deny
</Directory></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The Web Server's root directory content should be protected from unauthorized access
by web clients.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_restrict_web_directory" id="rule-detail-idp124232256"><div class="keywords sr-only">Restrict Web Directoryxccdf_org.ssgproject.content_rule_httpd_restrict_web_directory lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Restrict Web Directory</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_restrict_web_directory</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
The default configuration for the web (<code>/var/www/html</code>) Directory allows directory
indexing (<code>Indexes</code>) and the following of symbolic links (<code>FollowSymLinks</code>).
Neither of these is recommended.
<br><br>
The <code>/var/www/html</code> directory hierarchy should not be viewable via the web, and
symlinks should only be followed if the owner of the symlink also owns the linked file.
<br><br>
Ensure that this policy is adhered to by altering the related section of the configuration:
<pre><Directory "/var/www/html">
#  ...
   Options SymLinksIfOwnerMatch
#  ...
</Directory></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Access to the web server's directory hierarchy could allow access to unauthorized files
by web clients. Following symbolic links could also allow such access.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_restrict_critical_directories" id="rule-detail-idp124234624"><div class="keywords sr-only">Restrict Other Critical Directoriesxccdf_org.ssgproject.content_rule_httpd_restrict_critical_directories lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Restrict Other Critical Directories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_restrict_critical_directories</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
All accessible web directories should be configured with similarly restrictive settings.
The <code>Options</code> directive should be limited to necessary functionality and the <code>AllowOverride</code>
directive should be used only if needed. The <code>Order</code> and <code>Deny</code> access control tags
should be used to deny access by default, allowing access only where necessary.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Directories accessible from a web client should be configured with the least amount of
access possible in order to avoid unauthorized access to restricted content or server information.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_limit_available_methods" id="rule-detail-idp124236992"><div class="keywords sr-only">Limit Available Methodsxccdf_org.ssgproject.content_rule_httpd_limit_available_methods lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Limit Available Methods</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_limit_available_methods</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Web server methods are defined in section 9 of RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt).
If a web server does not require the implementation of all available methods,
they should be disabled.
<br><br>
Note: <code>GET</code> and <code>POST</code> are the most common methods. A majority of the others
are limited to the WebDAV protocol.
<pre><Directory /var/www/html>
# ...
   # Only allow specific methods (this command is case-sensitive!)
   <LimitExcept GET POST>
      Order allow,deny
   </LimitExcept>
# ...
</Directory></pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Minimizing the number of available methods to the web client reduces risk
by limiting the capabilities allowed by the web server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_install_mod_ssl" id="rule-detail-idp124239360"><div class="keywords sr-only">Install mod_sslxccdf_org.ssgproject.content_rule_httpd_install_mod_ssl lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Install mod_ssl</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_install_mod_ssl</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Install the <code>mod_ssl</code> module:
<pre>$ sudo yum install mod_ssl</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>mod_ssl</code> provides encryption capabilities for the <code>httpd</code> Web server. Unencrypted
content is transmitted in plain text which could be passively monitored and accessed by
unauthorized parties.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_httpd_install_mod_security" id="rule-detail-idp124241712"><div class="keywords sr-only">Install mod_securityxccdf_org.ssgproject.content_rule_httpd_install_mod_security lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Install mod_security</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_httpd_install_mod_security</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Install the <code>security</code> module:
<pre>$ sudo yum install mod_security</pre>

</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>mod_security</code> provides an additional level of protection for the web server by
enabling the administrator to implement content access policies and filters at the
application layer.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd" id="rule-detail-idp124244080"><div class="keywords sr-only">Set Permissions on the /var/log/httpd/ Directoryxccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Set Permissions on the /var/log/httpd/ Directory</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Ensure that the permissions on the web server log directory is set to 700:
<pre>$ sudo chmod 700 /var/log/httpd/</pre>
This is its default setting.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Access to the web server's log files may allow an unauthorized user or attacker
to access information about the web server or alter the server's log files.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_etc_httpd_conf" id="rule-detail-idp124247728"><div class="keywords sr-only">Set Permissions on the /etc/httpd/conf/ Directoryxccdf_org.ssgproject.content_rule_dir_perms_etc_httpd_conf lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Set Permissions on the /etc/httpd/conf/ Directory</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_etc_httpd_conf</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Set permissions on the web server configuration directory to 750:
<pre>$ sudo chmod 750 /etc/httpd/conf/</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Access to the web server's configuration files may allow an unauthorized user or attacker
to access information about the web server or alter the server's configuration files.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files" id="rule-detail-idp124251376"><div class="keywords sr-only">Set Permissions on All Configuration Files Inside /etc/httpd/conf/xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Set Permissions on All Configuration Files Inside /etc/httpd/conf/</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Set permissions on the web server configuration files to 640:
<pre>$ sudo chmod 640 /etc/httpd/conf/*</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Access to the web server's configuration files may allow an unauthorized user or attacker
to access information about the web server or to alter the server's configuration files.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_dovecot_disabled" id="rule-detail-idp124255056"><div class="keywords sr-only">Disable Dovecot Servicexccdf_org.ssgproject.content_rule_service_dovecot_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Dovecot Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_dovecot_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>dovecot</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable dovecot.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Running an IMAP or POP3 server provides a network-based
avenue of attack, and should be disabled if not needed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_dovecot_removed" id="rule-detail-idp124259984"><div class="keywords sr-only">Uninstall dovecot Packagexccdf_org.ssgproject.content_rule_package_dovecot_removed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall dovecot Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dovecot_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.12</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>dovecot</code> package can be uninstalled
with the following command:
<pre>$ sudo yum erase dovecot</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If there is no need to make the Dovecot software available,
removing it provides a safeguard against its activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dovecot_enable_ssl" id="rule-detail-idp124264912"><div class="keywords sr-only">Enable the SSL flag in /etc/dovecot.confxccdf_org.ssgproject.content_rule_dovecot_enable_ssl lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Enable the SSL flag in /etc/dovecot.conf</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dovecot_enable_ssl</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>To allow clients to make encrypted connections the <code>ssl</code>
flag in Dovecot's configuration file needs to be set to <code>yes</code>.
<br><br>
Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or correct the following line:
<pre>ssl = yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSL encrypt network traffic between the Dovecot server and its clients 
protecting user credentials, mail as it is downloaded, and clients may use 
SSL certificates to authenticate the server, preventing another system from 
impersonating the server.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_cert" id="rule-detail-idp124268544"><div class="keywords sr-only">Configure Dovecot to Use the SSL Certificate filexccdf_org.ssgproject.content_rule_dovecot_configure_ssl_cert lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Dovecot to Use the SSL Certificate file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_cert</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>This option tells Dovecot where to find the the mail 
server's SSL Certificate.
<br><br>
Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or correct the following 
line (<i>note: the path below is the default path set by the Dovecot installation. If 
you are using a different path, ensure you reference the appropriate file</i>):
<pre>ssl_cert = </etc/pki/dovecot/certs/dovecot.pem</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSL certificates are used by the client to authenticate the identity
of the server, as well as to encrypt credentials and message traffic.
Not using SSL to encrypt mail server traffic could allow unauthorized
access to credentials and mail messages since they are sent in plain 
text over the network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_key" id="rule-detail-idp124270912"><div class="keywords sr-only">Configure Dovecot to Use the SSL Key filexccdf_org.ssgproject.content_rule_dovecot_configure_ssl_key lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure Dovecot to Use the SSL Key file</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dovecot_configure_ssl_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>This option tells Dovecot where to find the the mail 
server's SSL Key.
<br><br>
Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> and add or correct the following 
line (<i>note: the path below is the default path set by the Dovecot installation. If 
you are using a different path, ensure you reference the appropriate file</i>):
<pre>ssl_key = </etc/pki/dovecot/private/dovecot.pem</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
SSL certificates are used by the client to authenticate the identity
of the server, as well as to encrypt credentials and message traffic.
Not using SSL to encrypt mail server traffic could allow unauthorized
access to credentials and mail messages since they are sent in plain 
text over the network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_dovecot_disable_plaintext_auth" id="rule-detail-idp124273280"><div class="keywords sr-only">Disable Plaintext Authenticationxccdf_org.ssgproject.content_rule_dovecot_disable_plaintext_auth lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Plaintext Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dovecot_disable_plaintext_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>To prevent Dovecot from attempting plaintext 
authentication of clients, edit <code>/etc/dovecot/conf.d/10-auth.conf</code> and add
or correct the following line:
<pre>disable_plaintext_auth = yes</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Using plain text authentication to the mail server could allow an 
attacker access to credentials by monitoring network traffic.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_zebra_disabled" id="rule-detail-idp124276944"><div class="keywords sr-only">Disable Quagga Servicexccdf_org.ssgproject.content_rule_service_zebra_disabled mediumCCE-27191-6 </div><div class="panel-heading"><h3 class="panel-title">Disable Quagga Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_zebra_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27191-6">CCE-27191-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040730</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>zebra</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable zebra.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Routing protocol daemons are typically used on routers to exchange network
topology information with other routers. If routing daemons are used when not
required, system network information may be unnecessarily transmitted across
the network.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_quagga_removed" id="rule-detail-idp124280592"><div class="keywords sr-only">Uninstall quagga Packagexccdf_org.ssgproject.content_rule_package_quagga_removed mediumCCE-27594-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall quagga Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_quagga_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27594-1">CCE-27594-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-32</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">TBD</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>quagga</code> package can be removed with the following command:
    <pre>$ sudo yum erase quagga</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Routing software is typically used on routers to exchange network topology information
with other routers. If routing software is used when not required, system network
information may be unnecessarily transmitted across the network.
<br>
If there is no need to make the router software available,
removing it provides a safeguard against its activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_smb_disabled" id="rule-detail-idp124285520"><div class="keywords sr-only">Disable Sambaxccdf_org.ssgproject.content_rule_service_smb_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Samba</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_smb_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>smb</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable smb.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Running a Samba server provides a network-based avenue of attack, and
should be disabled if not needed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_samba_removed" id="rule-detail-idp124290432"><div class="keywords sr-only">Uninstall Samba Packagexccdf_org.ssgproject.content_rule_package_samba_removed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall Samba Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_samba_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.13</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>samba</code> package can be uninstalled
with the following command:
<pre>$ sudo yum erase samba</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If there is no need to make the Samba software available,
removing it provides a safeguard against its activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root" id="rule-detail-idp124295344"><div class="keywords sr-only">Disable Root Access to SMB Sharesxccdf_org.ssgproject.content_rule_smb_server_disable_root lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Root Access to SMB Shares</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_smb_server_disable_root</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Administrators should not use administrator accounts to access
Samba file and printer shares. Disable the root user and the wheel
administrator group:
<pre>[<i>share</i>]
  invalid users = root @wheel</pre>
If administrator accounts cannot be disabled, ensure that local machine
passwords and Samba service passwords do not match.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Typically, administrator access is required when Samba must create user and
machine accounts and shares. Domain member servers and standalone servers may
not need administrator access at all. If that is the case, add the invalid
users parameter to <code>[global]</code> instead.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing" id="rule-detail-idp124297712"><div class="keywords sr-only">Require Client SMB Packet Signing, if using smbclientxccdf_org.ssgproject.content_rule_require_smb_client_signing lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Require Client SMB Packet Signing, if using smbclient</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_smb_client_signing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
To require samba clients running <code>smbclient</code> to use
packet signing, add the following to the <code>[global]</code> section
of the Samba configuration file, <code>/etc/samba/smb.conf</code>:
<pre>client signing = mandatory</pre>
Requiring samba clients such as <code>smbclient</code> to use packet
signing ensures they can
only communicate with servers that support packet signing.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Packet signing can prevent
man-in-the-middle attacks which modify SMB packets in
transit.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing" id="rule-detail-idp124302672"><div class="keywords sr-only">Require Client SMB Packet Signing, if using mount.cifsxccdf_org.ssgproject.content_rule_mount_option_smb_client_signing lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Require Client SMB Packet Signing, if using mount.cifs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>Require packet signing of clients who mount Samba
shares using the <code>mount.cifs</code> program (e.g., those who specify shares
in <code>/etc/fstab</code>). To do so, ensure signing options (either
<code>sec=krb5i</code> or <code>sec=ntlmv2i</code>) are used.
<br><br>
See the <code>mount.cifs(8)</code> man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Packet signing can prevent man-in-the-middle
attacks which modify SMB packets in transit.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_squid_disabled" id="rule-detail-idp124307632"><div class="keywords sr-only">Disable Squidxccdf_org.ssgproject.content_rule_service_squid_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable Squid</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_squid_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>squid</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable squid.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Running proxy server software provides a network-based avenue
of attack, and should be removed if not needed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_squid_removed" id="rule-detail-idp124312560"><div class="keywords sr-only">Uninstall squid Packagexccdf_org.ssgproject.content_rule_package_squid_removed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall squid Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_squid_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.14</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>squid</code> package can be removed with the following command:
    <pre>$ sudo yum erase squid</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If there is no need to make the proxy server software available,
removing it provides a safeguard against its activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_service_snmpd_disabled" id="rule-detail-idp124317472"><div class="keywords sr-only">Disable snmpd Servicexccdf_org.ssgproject.content_rule_service_snmpd_disabled lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Disable snmpd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_snmpd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
            
    The <code>snmpd</code> service can be disabled with the following command:
    <pre>$ sudo systemctl disable snmpd.service</pre>
          </p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Running SNMP software provides a network-based avenue of attack, and
should be disabled if not needed.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_package_net-snmp_removed" id="rule-detail-idp124322400"><div class="keywords sr-only">Uninstall net-snmp Packagexccdf_org.ssgproject.content_rule_package_net-snmp_removed lowCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Uninstall net-snmp Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_net-snmp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.15</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>net-snmp</code> package provides the snmpd service.

    The <code>net-snmp</code> package can be removed with the following command:
    <pre>$ sudo yum erase net-snmp</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
If there is no need to run SNMP server software,
removing the package provides a safeguard against its
activation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" id="rule-detail-idp124327328"><div class="keywords sr-only">Configure SNMP Service to Use Only SNMPv3 or Newer xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol mediumCCE-RHEL7-CCE-TBD </div><div class="panel-heading"><h3 class="panel-title">Configure SNMP Service to Use Only SNMPv3 or Newer </h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-RHEL7-CCE-TBD">CCE-RHEL7-CCE-TBD</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Edit <code>/etc/snmp/snmpd.conf</code>, removing any references to <code>rocommunity</code>, <code>rwcommunity</code>, or <code>com2sec</code>.
Upon doing that, restart the SNMP service:
<pre>$ sudo service snmpd restart</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Earlier versions of SNMP are considered insecure, as they potentially allow 
unauthorized access to detailed system management information.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_snmpd_not_default_password" id="rule-detail-idp124332256"><div class="keywords sr-only">Ensure Default SNMP Password Is Not Usedxccdf_org.ssgproject.content_rule_snmpd_not_default_password highCCE-27386-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Default SNMP Password Is Not Used</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_snmpd_not_default_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">identifiers:</span> 
            <abbr title="http://cce.mitre.org: CCE-27386-2">CCE-27386-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5.1(ii)</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</a>, <a href="">SRG-OS-000480-GPOS-00227</a>, <a href="">040580</a>, <a href="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors">Test attestation on 20121214 by MAN</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Edit <code>/etc/snmp/snmpd.conf</code>, remove or change the default community strings of
<code>public</code> and <code>private</code>.
Once the default community strings have been changed, restart the SNMP service:
<pre>$ sudo service snmpd restart</pre>
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Whether active or not, default simple network management protocol (SNMP) community
strings must be changed to maintain security. If the service is running with the
default authenticators, then anyone can gather data about the system and the network
and use the information to potentially compromise the integrity of the system and
network(s).
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_met_inherently_generic" id="rule-detail-idp124335920"><div class="keywords sr-only">Product Meets this Requirementxccdf_org.ssgproject.content_rule_met_inherently_generic low</div><div class="panel-heading"><h3 class="panel-title">Product Meets this Requirement</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_met_inherently_generic</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">42</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">56</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">206</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1084</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">66</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">86</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">185</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">223</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">171</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">172</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1694</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">804</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">162</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">163</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">164</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">345</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">346</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1096</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1111</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1291</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">386</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">156</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">186</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1083</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1082</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1090</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">804</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1127</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1128</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1129</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1248</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1265</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1362</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1368</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1310</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1311</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1328</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1399</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1400</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1404</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1405</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1427</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1632</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1693</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1665</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1674</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> 
This requirement is a permanent not a finding. No fix is required.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Red Hat Enterprise Linux meets this requirement through design and implementation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_met_inherently_auditing" id="rule-detail-idp124338944"><div class="keywords sr-only">Product Meets this Requirementxccdf_org.ssgproject.content_rule_met_inherently_auditing low</div><div class="panel-heading"><h3 class="panel-title">Product Meets this Requirement</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_met_inherently_auditing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">130</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">157</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">131</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">132</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">133</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">134</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">159</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">174</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> 
This requirement is a permanent not a finding. No fix is required.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_met_inherently_nonselected" id="rule-detail-idp124341968"><div class="keywords sr-only">Product Meets this Requirementxccdf_org.ssgproject.content_rule_met_inherently_nonselected low</div><div class="panel-heading"><h3 class="panel-title">Product Meets this Requirement</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_met_inherently_nonselected</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">34</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">35</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">99</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">154</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">226</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">802</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">872</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1086</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1087</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1089</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1091</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1424</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1426</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1428</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1209</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1214</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1237</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1269</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1338</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1425</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1670</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> 
This requirement is a permanent not a finding. No fix is required.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Red Hat Enterprise Linux meets this requirement through design and implementation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_unmet_nonfinding_nonselected_scope" id="rule-detail-idp124345008"><div class="keywords sr-only">Guidance Does Not Meet this Requirement Due to Impracticality or Scopexccdf_org.ssgproject.content_rule_unmet_nonfinding_nonselected_scope low</div><div class="panel-heading"><h3 class="panel-title">Guidance Does Not Meet this Requirement Due to Impracticality or Scope</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_unmet_nonfinding_nonselected_scope</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">21</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">25</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">28</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">29</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">30</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">165</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">221</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">354</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">553</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">779</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">780</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">781</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1009</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1094</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1123</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1124</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1125</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1132</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1135</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1140</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1141</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1142</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1143</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1145</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1147</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1148</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1166</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1339</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1340</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1341</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1350</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1356</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1373</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1374</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1383</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1391</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1392</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1395</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1662</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> 
This requirement is NA. No fix is required.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The guidance does not meet this requirement.
The requirement is impractical or out of scope.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_unmet_finding_nonselected" id="rule-detail-idp124348048"><div class="keywords sr-only">Implementation of the Requirement is Not Supportedxccdf_org.ssgproject.content_rule_unmet_finding_nonselected low</div><div class="panel-heading"><h3 class="panel-title">Implementation of the Requirement is Not Supported</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_unmet_finding_nonselected</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">20</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">31</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">52</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">144</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1158</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1294</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1295</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1500</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
This requirement is a permanent finding and cannot be fixed. An appropriate
mitigation for the system must be implemented but this finding cannot be
considered fixed.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
RHEL7 does not support this requirement.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_unmet_nonfinding_scope" id="rule-detail-idp124351072"><div class="keywords sr-only">Guidance Does Not Meet this Requirement Due to Impracticality or Scopexccdf_org.ssgproject.content_rule_unmet_nonfinding_scope low</div><div class="panel-heading"><h3 class="panel-title">Guidance Does Not Meet this Requirement Due to Impracticality or Scope</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_unmet_nonfinding_scope</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">15</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">27</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">218</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">219</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">371</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">372</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">535</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">537</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">539</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1682</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">370</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">37</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">24</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1112</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1126</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1143</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1149</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1157</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1159</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1210</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1211</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1274</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1372</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1376</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1377</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1352</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1401</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1555</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1556</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1150</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> 
This requirement is NA. No fix is required.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
The guidance does not meet this requirement.
The requirement is impractical or out of scope.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_update_process" id="rule-detail-idp124354096"><div class="keywords sr-only">A process for prompt installation of OS updates must exist.xccdf_org.ssgproject.content_rule_update_process low</div><div class="panel-heading"><h3 class="panel-title">A process for prompt installation of OS updates must exist.</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_update_process</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1232</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
Procedures to promptly apply software updates must be established and
executed. The Red Hat operating system provides support for automating such a
process, by running the yum program through a cron job or by managing the
system and its packages through the Red Hat Network or a Satellite Server.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
This is a manual inquiry about update procedure.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_c2s_procedural_requirement" id="rule-detail-idp124357104"><div class="keywords sr-only">Procedural Requirementxccdf_org.ssgproject.content_rule_c2s_procedural_requirement low</div><div class="panel-heading"><h3 class="panel-title">Procedural Requirement</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_c2s_procedural_requirement</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>This requirement is procedural, and can not be met
through automated means.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This requirement is procedural, and can not be met through
automated means.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_c2s_not_OS_applicable" id="rule-detail-idp124360144"><div class="keywords sr-only">Not Applicable to Operating Systemxccdf_org.ssgproject.content_rule_c2s_not_OS_applicable low</div><div class="panel-heading"><h3 class="panel-title">Not Applicable to Operating System</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_c2s_not_OS_applicable</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>While this requirement is applicable at an information system level, implementation
is not performed within the Operating System.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This requirement is not applicable to an operating system.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_c2s_met_inherently" id="rule-detail-idp124361872"><div class="keywords sr-only">Product Meets this Requirementxccdf_org.ssgproject.content_rule_c2s_met_inherently low</div><div class="panel-heading"><h3 class="panel-title">Product Meets this Requirement</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_c2s_met_inherently</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>
This requirement is permanent not a finding. No fix is required.
</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>
Red Hat Enterprise Linux meets this requirement through design and implementation.
</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_apply_to_everything" id="rule-detail-idp124364880"><div class="keywords sr-only">Requirement Applies to All Rulesxccdf_org.ssgproject.content_rule_apply_to_everything low</div><div class="panel-heading"><h3 class="panel-title">Requirement Applies to All Rules</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_apply_to_everything</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>These are generic requirements, and apply to all rules</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The following requirements apply to all rules</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-notselected rule-detail-id-xccdf_org.ssgproject.content_rule_cis_xinetd" id="rule-detail-idp124366608"><div class="keywords sr-only">Rule Compliance through Removal of xinetdxccdf_org.ssgproject.content_rule_cis_xinetd low</div><div class="panel-heading"><h3 class="panel-title">Rule Compliance through Removal of xinetd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_cis_xinetd</td></tr><tr><td>Result</td><td class="rule-result rule-result-notselected"><div><abbr title="The Rule was not selected in the evaluation. This may be caused by the rule not being selected by default in the benchmark or by the profile unselecting it.">notselected</abbr></div></td></tr><tr><td>Time</td><td>2016-04-28T03:00:12</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">references:</span> 
            <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.12</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.13</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.14</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.15</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.16</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.17</a>, <a href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.18</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The upstream CIS guidance is incorrect, stating that xinetd services can be managed through systemctl. The proper way to disable xinetd services, such as chargen-dgram, is to create a <code>/etc/xinetd.d/SERVICE</code> file which disables the service. Regardless, these rules are inherently compliant with C2S/CIS policies through the removal of xinetd itself.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>These rules are inherently compliant when xinetd is removed
from the system</p></div></td></tr></tbody></table></div></div></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.</div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit">
                Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.2.8</p></div></footer></body></html>