diff --git a/SOURCES/scap-security-guide-0.1.42-mark_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.42-mark_rules_as_machine_only.patch new file mode 100644 index 0000000..beb54c7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.42-mark_rules_as_machine_only.patch @@ -0,0 +1,2196 @@ +commit 724676573314ec7537015db800ea9edc08bdeafe +Author: Gabriel Becker +Date: Fri Apr 5 14:49:41 2019 +0200 + + Mark rules that are not applicable in containers. Backport of 8a858d0c and 313b634c. + +diff --git a/linux_os/guide/services/base/service_irqbalance_enabled.rule b/linux_os/guide/services/base/service_irqbalance_enabled.rule +index a94a60d..d74e543 100644 +--- a/linux_os/guide/services/base/service_irqbalance_enabled.rule ++++ b/linux_os/guide/services/base/service_irqbalance_enabled.rule +@@ -24,3 +24,5 @@ references: + nist: CM-7 + + ocil: '{{{ ocil_service_disabled(service="irqbalance") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/cron_and_at/group.yml b/linux_os/guide/services/cron_and_at/group.yml +index 30f07e0..745ed46 100644 +--- a/linux_os/guide/services/cron_and_at/group.yml ++++ b/linux_os/guide/services/cron_and_at/group.yml +@@ -8,3 +8,5 @@ description: |- + all systems to perform necessary maintenance tasks, while at may or + may not be required on a given system. Both daemons should be + configured defensively. ++ ++platform: machine +diff --git a/linux_os/guide/services/docker/docker_storage_configured.rule b/linux_os/guide/services/docker/docker_storage_configured.rule +index c675292..a1c90e6 100644 +--- a/linux_os/guide/services/docker/docker_storage_configured.rule ++++ b/linux_os/guide/services/docker/docker_storage_configured.rule +@@ -20,3 +20,5 @@ severity: low + + identifiers: + cce@rhel7: 80441-9 ++ ++platform: machine +diff --git a/linux_os/guide/services/docker/service_docker_enabled.rule b/linux_os/guide/services/docker/service_docker_enabled.rule +index 6cd9df4..309771b 100644 +--- a/linux_os/guide/services/docker/service_docker_enabled.rule ++++ b/linux_os/guide/services/docker/service_docker_enabled.rule +@@ -20,3 +20,5 @@ identifiers: + cce@rhel7: 80440-1 + + ocil: '{{{ ocil_service_enabled(service="docker") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/mail/group.yml b/linux_os/guide/services/mail/group.yml +index 97ddf50..13f9730 100644 +--- a/linux_os/guide/services/mail/group.yml ++++ b/linux_os/guide/services/mail/group.yml +@@ -23,3 +23,5 @@ description: |- + Postfix was coded with security in mind and can also be more effectively contained by + SELinux as its modular design has resulted in separate processes performing specific actions. + More information is available on its website, {{{ weblink(link="http://www.postfix.org") }}}. ++ ++platform: machine +diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml +index c85ac8c..737b7f4 100644 +--- a/linux_os/guide/services/ntp/group.yml ++++ b/linux_os/guide/services/ntp/group.yml +@@ -55,3 +55,5 @@ description: |- + The upstream manual pages at {{{ weblink(link="http://chrony.tuxfamily.org/manual.html") }}} for + chronyd and {{{ weblink(link="http://www.ntp.org") }}} for ntpd provide additional + information on the capabilities and configuration of each of the NTP daemons. ++ ++platform: machine +diff --git a/linux_os/guide/services/ssh/group.yml b/linux_os/guide/services/ssh/group.yml +index 8919c8c..feb65ee 100644 +--- a/linux_os/guide/services/ssh/group.yml ++++ b/linux_os/guide/services/ssh/group.yml +@@ -12,3 +12,5 @@ description: |- + {{{ weblink(link="http://www.openssh.org") }}}. Its server program + is called sshd and provided by the RPM package + openssh-server. ++ ++platform: machine +diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml +index 49bfab9..ce74b3a 100644 +--- a/linux_os/guide/services/sssd/group.yml ++++ b/linux_os/guide/services/sssd/group.yml +@@ -17,3 +17,5 @@ description: |- + {{%- elif product == "rhel6" -%}} + {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html") }}} + {{%- endif %}} ++ ++platform: machine +diff --git a/linux_os/guide/services/sssd/sssd-ldap/group.yml b/linux_os/guide/services/sssd/sssd-ldap/group.yml +index a7c4c7d..0428dd1 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/group.yml ++++ b/linux_os/guide/services/sssd/sssd-ldap/group.yml +@@ -13,3 +13,5 @@ description: |- +

+ SSSD can support many backends including LDAP. The sssd-ldap backend + allows SSSD to fetch identity information from an LDAP server. ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule +index beb9a4d..52e6a26 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule +@@ -82,3 +82,5 @@ warnings: + key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The + Ctrl-Alt-Del key sequence will only be disabled if running in + the non-graphical runlevel 3. ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule +index 165bf92..d8d9116 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule +@@ -36,3 +36,5 @@ ocil: |- + systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. + Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates + that interactive boot is enabled at boot time. ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule +index 3d752e2..12d547d 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule +@@ -66,3 +66,5 @@ ocil: |- + ExecStart and /sbin/sulogin: +
ExecStart=-/sbin/sulogin
+ {{% endif %}} ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule +index 56c2464..d721694 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule +@@ -41,3 +41,5 @@ references: + ocil_clause: 'the package is not installed' + + ocil: '{{{ ocil_package(package="screen") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule +index 815097b..5c58455 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule +@@ -37,3 +37,5 @@ ocil: |- + To verify the operating system has the packages required for multifactor + authentication installed, run the following command: +
$ sudo yum list installed esc pam_pkcs11 authconfig-gtk
++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule +index 5b01b62..e4c0870 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule +@@ -41,3 +41,5 @@ references: + ocil_clause: 'non-exempt accounts are not using CAC authentication' + + ocil: "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication.\nFor DoD systems, the following systems and accounts are exempt from using\nsmart card (CAC) authentication:\n" ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule +index 9af1126..c68db6d 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule +@@ -42,3 +42,5 @@ ocil: |- +
cert_policy = ca, ocsp_on, signature;
+     cert_policy = ca, ocsp_on, signature;
+     cert_policy = ca, ocsp_on, signature;
++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule +index a2be942..184571c 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule +@@ -31,3 +31,5 @@ references: + ospp@rhel7: FIA_AFL.1 + + ocil: '{{{ ocil_service_disabled(service="debug-shell") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule +index f1cd259..98fb3f8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule +@@ -57,3 +57,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule +index bc765d3..77be3c4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule +index 62f9d31..e530ea9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule +index 6a3db98..2410fc9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule +index b4ffe52..4f0c7e7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule +index 5a3435d..12d51f8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule +index ad029f1..b0ff227 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule +@@ -61,3 +61,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule +index e9cd1f9..4e19015 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule +index 5cfd606..39fb8bd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule +index 72311d8..52d0c85 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule +@@ -61,3 +61,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule +index f84b153..f7ffae4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule +index 6bd3dfc..3ff38cf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule +@@ -60,3 +60,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule +index eaec4c5..da633bd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule +@@ -55,3 +55,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml +index 0de3ac0..0be694d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml +@@ -19,3 +19,5 @@ description: |- +
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
+         -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
+         -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule +index 8e40014..f2c7891 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule +@@ -47,3 +47,5 @@ ocil: |- +
$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule +index 2a97b84..ea42555 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule +@@ -46,3 +46,5 @@ ocil: |- +
$ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule +index c2aedce..dd62afa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule +@@ -47,3 +47,5 @@ ocil: |- +
$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule +index 247453e..2804b8d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule +@@ -47,3 +47,5 @@ ocil: |- +
$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
+ The output should return something similar to: +
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule +index 346cd5a..d110f8a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule +@@ -65,3 +65,5 @@ warnings: +
  • audit_rules_file_deletion_events_unlink
  • +
  • audit_rules_file_deletion_events_unlinkat
  • + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule +index e9948eb..51b1d54 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule +@@ -40,3 +40,5 @@ references: + stigid@rhel7: "030880" + + {{{ complete_ocil_entry_audit_syscall(syscall="rename") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule +index 82c93a2..96133fc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule +@@ -40,3 +40,5 @@ references: + stigid@rhel7: "030890" + + {{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule +index 419cb05..21abd3a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule +@@ -40,3 +40,5 @@ references: + stigid@rhel7: "030900" + + {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule +index cfd3553..25c2ec2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule +@@ -40,3 +40,5 @@ references: + stigid@rhel7: "030910" + + {{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule +index 217a3cb..390a4e5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule +@@ -40,3 +40,5 @@ references: + stigid@rhel7: "030920" + + {{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule +index f6a5e3e..370fbab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule +@@ -38,3 +38,5 @@ references: + stigid@rhel7: "030830" + + {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule +index 4ce4f24..d86680d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule +@@ -36,3 +36,5 @@ references: + stigid@rhel7: "030821" + + {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule +index 8b73da7..01de6c8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule +@@ -37,3 +37,5 @@ references: + stigid@rhel7: "030820" + + {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule +index 3c4e05f..9610d30 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule +@@ -41,3 +41,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule +index 8ce37aa..bd266b8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule +@@ -41,3 +41,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe"
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule +index 7ab7824..b913129 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule +@@ -41,3 +41,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule +index a2bd65f..11d187d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule +@@ -53,3 +53,5 @@ warnings: +
  • audit_rules_login_events_faillock
  • +
  • audit_rules_login_events_lastlog
  • + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule +index 78f9d91..b730fdd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule +@@ -43,3 +43,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/faillock"
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule +index 6c1919d..83c5cb7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule +@@ -43,3 +43,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/lastlog"
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule +index b0eed40..9a9770a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule +@@ -43,3 +43,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/tallylog"
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule +index a1408e9..3815429 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule +@@ -81,3 +81,5 @@ warnings: +
  • audit_rules_privileged_commands_umount
  • +
  • audit_rules_privileged_commands_passwd
  • + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule +index c2d56b1..9d6c828 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule +@@ -48,3 +48,5 @@ ocil: |- + following command: +
    $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule +index 4c81432..ac5c38a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule +@@ -48,3 +48,5 @@ ocil: |- + following command: +
    $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule +index 5baa248..03bcb6c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule +@@ -48,3 +48,5 @@ ocil: |- + following command: +
    $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule +index cb856fa..5c8c407 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule +index 32f0182..b8f8e5c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule +index 7219c00..fda2e0c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule +@@ -48,3 +48,5 @@ ocil: |- + following command: +
    $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule +index 8466855..cb41772 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule +index b648c05..6f3f787 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule +@@ -48,3 +48,5 @@ ocil: |- + following command: +
    $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule +index eadb5f9..d6f4eeb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule +@@ -48,3 +48,5 @@ ocil: |- + following command: +
    $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule +index 600608b..21e0a11 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule +@@ -46,3 +46,5 @@ ocil: |- + following command: +
    $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule +index 07b6ecc..fa7ff2b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule +index 5e7c3fc..d791805 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule +index b9c1c7a..e8b3585 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule +index 176de59..8984a84 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule +index d0fe096..5b636ea 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule +@@ -48,3 +48,5 @@ ocil: |- + following command: +
    $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule +index 61e6cc6..205bf97 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule +index 83bec28..91f31f3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule +@@ -49,3 +49,5 @@ ocil: |- + following command: +
    $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule +index 991abcf..2c42c74 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule +@@ -37,3 +37,5 @@ references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) + nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5 + pcidss: Req-10.5.2 ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule +index 7c4018b..5952dbb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule +@@ -47,3 +47,5 @@ ocil: |- + If the system is configured to watch for changes to its SELinux + configuration, a line should be returned (including + perm=wa indicating permissions that are watched). ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule +index f1d9d6c..28c64ca 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule +@@ -50,3 +50,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for all media exportation events, run the following command: +
    $ sudo auditctl -l | grep syscall | grep mount
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule +index 3bda57f..55e1893 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule +@@ -55,3 +55,5 @@ ocil: |- +
    auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
    + If the system is configured to watch for network configuration changes, a line should be returned for + each file specified (and perm=wa should be indicated for each). ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule +index e63f61a..017a053 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule +@@ -41,3 +41,5 @@ references: + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.3 ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule +index 15c33a2..3be1932 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule +@@ -47,3 +47,5 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d"
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule +index a01adea..d40c9df 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule +@@ -46,3 +46,5 @@ ocil: |- +
    $ sudo grep "\-f 2" /etc/audit/audit.rules
    + The output should contain: +
    -f 2
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule +index b8716ef..2838470 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule +@@ -68,3 +68,5 @@ warnings: +
  • audit_rules_usergroup_modification_gshadow
  • +
  • audit_rules_usergroup_modification_passwd
  • + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule +index f161b14..143e63b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule +@@ -52,3 +52,5 @@ ocil: |- +

    + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule +index f9ae466..5e14989 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule +@@ -52,3 +52,5 @@ ocil: |- +

    + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule +index 4b02de3..9e7ce3d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule +@@ -52,3 +52,5 @@ ocil: |- +

    + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule +index 2940549..76bce57 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule +@@ -52,3 +52,5 @@ ocil: |- +

    + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule +index 0925d21..74819f5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule +@@ -52,3 +52,5 @@ ocil: |- +

    + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule +index 67ce61f..9dc2ceb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule +@@ -51,3 +51,5 @@ references: + ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="adjtimex") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule +index 136c6ef..436f5f0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule +@@ -51,3 +51,5 @@ references: + ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="clock_settime") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule +index 4003f25..22ec976 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule +@@ -51,3 +51,5 @@ references: + ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="settimeofday") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule +index d55c9a4..0572156 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule +@@ -57,3 +57,5 @@ ocil: |- + If the system is not configured to audit time changes, this is a finding. + If the system is 64-bit only, this is not applicable
    + {{{ complete_ocil_entry_audit_syscall(syscall="stime") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule +index 70ce059..2fb8f7d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule +@@ -50,3 +50,5 @@ ocil: |- + command: +
    $ sudo auditctl -l | grep "watch=/etc/localtime"
    + If the system is configured to audit this activity, it will return a line. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule +index 0151c6e..ea42793 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule +@@ -69,3 +69,5 @@ warnings: +
  • audit_rules_unsuccessful_file_modification_ftruncate
  • +
  • audit_rules_unsuccessful_file_modification_creat
  • + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule +index f04df40..a328ff9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule +@@ -54,3 +54,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule +index ba75654..6229398 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule +@@ -54,3 +54,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule +index 6f07e27..13f12fe 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule +@@ -54,3 +54,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule +index c5adccc..ce4193a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule +@@ -54,3 +54,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule +index 4281e37..6f3c38a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule +@@ -54,3 +54,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule +index 97d81f5..f6e0263 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule +@@ -54,3 +54,5 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule +index c3f6674..14d41d0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule +@@ -33,3 +33,5 @@ references: + ocil: |- + {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} + {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule +index f9dc5f1..319b1bb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule +@@ -35,3 +35,5 @@ ocil: |- + Run the following command to check the mode of the system audit logs: +
    $ sudo ls -l /var/log/audit
    + Audit logs must be mode 0640 or less permissive. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule +index a2c1e28..94af473 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule +@@ -37,3 +37,5 @@ ocil: |- + The output should return something similar to where REMOTE_SYSTEM + is an IP address or hostname: +
    remote_server = REMOTE_SYSTEM
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule +index fafa442..502843d 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule +@@ -40,3 +40,5 @@ ocil: |- +
    disk_full_action = single
    + Acceptable values also include syslog and + halt. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule +index 94292ff..07d36df 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule +@@ -34,3 +34,5 @@ ocil: |- +
    $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf
    + The output should return the following: +
    enable_krb5 = yes
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule +index 65cb5c2..7fc5566 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule +@@ -40,3 +40,5 @@ ocil: |- +
    network_failure_action = single
    + Acceptable values also include syslog and + halt. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule +index 75edf6a..c2891ab 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule +@@ -40,3 +40,5 @@ ocil: |- + To verify the audispd's syslog plugin is active, run the following command: +
    $ sudo grep active /etc/audisp/plugins.d/syslog.conf
    + If the plugin is active, the output will show yes. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule +index 692f804..cabdc03 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule +@@ -43,3 +43,5 @@ ocil: |- + determine if the system is configured to send email to an + account when it needs to notify an administrator: +
    action_mail_acct = root
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule +index bf07cff..7bad632 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule +@@ -48,3 +48,5 @@ ocil: |- + determine if the system is configured to either suspend, switch to single user mode, + or halt when disk space has run low: +
    admin_space_left_action single
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule +index 3a5b3ce..5475a85 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule +@@ -37,3 +37,5 @@ ocil: |- +
    flush = DATA
    + Acceptable values are DATA, and SYNC. The setting is + case-insensitive. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule +index faa46bf..06ec11d 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule +@@ -40,3 +40,5 @@ ocil: |- + determine how much data the system will retain in each audit log file: + $ sudo grep max_log_file /etc/audit/auditd.conf +
    max_log_file = 6
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule +index a6b6277..609ca46 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule +@@ -51,3 +51,5 @@ ocil: |- + maximum size: + $ sudo grep max_log_file_action /etc/audit/auditd.conf +
    max_log_file_action rotate
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule +index bf61ee0..5b1debc 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule +@@ -39,3 +39,5 @@ ocil: |- + determine how many logs the system is configured to retain after rotation: + $ sudo grep num_logs /etc/audit/auditd.conf +
    num_logs = 5
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule +index ac6bed0..d86ae02 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule +@@ -39,3 +39,5 @@ ocil: |- + Inspect /etc/audit/auditd.conf and locate the following line to + determine if the system is configured correctly: +
    space_left SIZE_in_MB
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule +index eb70dd0..7b4360f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule +@@ -57,3 +57,5 @@ ocil: |- + $ sudo grep space_left_action /etc/audit/auditd.conf +
    space_left_action
    + Acceptable values are email, suspend, single, and halt. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_argument.rule +index 68d4f49..29c451c 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument.rule ++++ b/linux_os/guide/system/auditing/grub2_audit_argument.rule +@@ -57,3 +57,5 @@ warnings: +
  • On UEFI-based machines, issue the following command as root: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled.rule b/linux_os/guide/system/auditing/service_auditd_enabled.rule +index b2dd85f..ce32390 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled.rule ++++ b/linux_os/guide/system/auditing/service_auditd_enabled.rule +@@ -41,3 +41,5 @@ references: + stigid@rhel7: "030000" + + ocil: '{{{ ocil_service_enabled(service="auditd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule b/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule +index 95c4589..02ee38d 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule ++++ b/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule +@@ -27,3 +27,5 @@ ocil: |- +
    $ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg
    + If properly configured, the output should indicate the following + permissions: -rwx------ ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule +index 306a6c5..02e2515 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule ++++ b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule +@@ -31,3 +31,5 @@ ocil: |- +
    $ sudo ls -lL /boot/grub2/grub.cfg
    + If properly configured, the output should indicate the following + permissions: -rw------- ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml +index 81807fc..fe35833 100644 +--- a/linux_os/guide/system/bootloader-grub2/group.yml ++++ b/linux_os/guide/system/bootloader-grub2/group.yml +@@ -14,3 +14,5 @@ description: |- + parameters and endangering security, protect the boot loader configuration + with a password and ensure its configuration file's permissions + are set properly. ++ ++platform: machine +diff --git a/linux_os/guide/system/logging/group.yml b/linux_os/guide/system/logging/group.yml +index f089e86..345043e 100644 +--- a/linux_os/guide/system/logging/group.yml ++++ b/linux_os/guide/system/logging/group.yml +@@ -19,3 +19,5 @@ description: |- + This section discusses how to configure rsyslog for + best effect, and how to use tools provided with the system to maintain and + monitor logs. ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-firewalld/group.yml b/linux_os/guide/system/network/network-firewalld/group.yml +index 9512aa9..78bd398 100644 +--- a/linux_os/guide/system/network/network-firewalld/group.yml ++++ b/linux_os/guide/system/network/network-firewalld/group.yml +@@ -20,3 +20,5 @@ description: |- + immediately implemented. There is no need to save or apply the changes. No + unintended disruption of existing network connections occurs as no part of + the firewall has to be reloaded. ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule +index b49d841..eed98e2 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule +@@ -20,3 +20,5 @@ references: + nist: CM-7 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule +index 03e5540..fd66ec6 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule +@@ -21,3 +21,5 @@ references: + nist: CM-7 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule +index 23cc26a..e643932 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule +@@ -29,3 +29,5 @@ references: + stigid@rhel7: "040830" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule +index a3a7e91..48c7ba3 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule +@@ -24,3 +24,5 @@ references: + ocil: |- + {{{ ocil_sysctl_option_value(sysctl="net.ipv6.conf.all.forwarding", value="0") }}} + The ability to forward packets is only appropriate for routers. ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule +index 449519d..58305d9 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule +@@ -21,3 +21,5 @@ references: + nist: CM-7 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule +index 706f8c1..294fe2a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule +@@ -24,3 +24,5 @@ references: + nist: CM-7 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule +index b2dc1b8..7942d50 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule +@@ -27,3 +27,5 @@ references: + nist: AC-4 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_source_route", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule +index 9c46fae..9d86019 100644 +--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule +@@ -30,3 +30,5 @@ references: + ocil_clause: 'the ipv6 support is disabled on network interfaces' + + ocil: "If the system uses IPv6, this is not applicable.\n

    \nIf the system is configured to prevent the usage of the\nipv6 on network interfaces, it will contain a line\nof the form:\n
    net.ipv6.conf.all.disable_ipv6 = 1
    \nSuch lines may be inside any file in the /etc/sysctl.d directory. \nThis permits insertion of the IPv6 kernel module (which other parts of \nthe system expect to be present), but otherwise keeps all network interfaces\nfrom using IPv6.\nRun the following command to search for such\nlines in all files in /etc/sysctl.d:\n
    $ grep -r ipv6 /etc/sysctl.d
    " ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule +index 7287608..89e9074 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule +@@ -26,3 +26,5 @@ references: + stigid@rhel7: "040641" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule +index 5b66202..30aa26e 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule +@@ -26,3 +26,5 @@ references: + stigid@rhel7: "040610" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_source_route", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule +index 4b08783..44b2eda 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule +@@ -28,3 +28,5 @@ references: + nist: AC-17(7),CM-7,SC-5(3) + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.log_martians", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule +index 296f675..f71cd86 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule +@@ -28,3 +28,5 @@ references: + nist: AC-4,SC-5,SC-7 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule +index f23a5a9..7163301 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule +@@ -26,3 +26,5 @@ references: + nist: AC-4,CM-7,SC-5 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.secure_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule +index f12a39b..c61122b 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule +@@ -26,3 +26,5 @@ references: + stigid@rhel7: "040640" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule +index 8d1ea9e..ca97a79 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule +@@ -26,3 +26,5 @@ references: + stigid@rhel7: "040620" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_source_route", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule +index b52b71f..6fc91a5 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule +@@ -24,3 +24,5 @@ references: + nist: AC-17(7),CM-7,SC-5(3) + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.log_martians", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule +index 536963b..146d1e9 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule +@@ -27,3 +27,5 @@ references: + nist: AC-4,SC-5,SC-7 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.rp_filter", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule +index 3f5d6ff..ef394a0 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule +@@ -26,3 +26,5 @@ references: + nist: AC-4,CM-7,SC-5,SC-7 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.secure_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule +index 33b55da..9cd2206 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule +@@ -32,3 +32,5 @@ references: + stigid@rhel7: "040630" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_broadcasts", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule +index 6a19f10..d1b6671 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule +@@ -24,3 +24,5 @@ references: + nist: CM-7,SC-5 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.icmp_ignore_bogus_error_responses", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule +index 68dfe68..bce344d 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule +@@ -32,3 +32,5 @@ references: + srg: SRG-OS-000480-GPOS-00227 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.tcp_syncookies", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule +index fcd4e0a..1b75c45 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule +@@ -32,3 +32,5 @@ references: + stigid@rhel7: "040660" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.send_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule +index 76752ad..98a2df7 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule +@@ -32,3 +32,5 @@ references: + stigid@rhel7: "040650" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.send_redirects", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule +index 068c595..1935645 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule +@@ -31,3 +31,5 @@ references: + ocil: |- + {{{ ocil_sysctl_option_value(sysctl="net.ipv4.ip_forward", value="0") }}} + The ability to forward packets is only appropriate for routers. ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule +index 5fa9b2b..7c8f938 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule +@@ -32,3 +32,5 @@ references: + stigid: "020101" + + {{{ complete_ocil_entry_module_disable(module="dccp") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule +index 07452ee..e739b7c 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule +@@ -31,3 +31,5 @@ references: + nist: CM-7 + + {{{ complete_ocil_entry_module_disable(module="sctp") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule +index fc3a8cb..2b25185 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule +@@ -31,3 +31,5 @@ references: + nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 + + {{{ complete_ocil_entry_module_disable(module="bluetooth") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule +index 302b329..4080993 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule +@@ -24,3 +24,5 @@ identifiers: + references: + disa: "85" + nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/bios_assign_password.rule b/linux_os/guide/system/permissions/mounting/bios_assign_password.rule +index 4d226ba..e0d0137 100644 +--- a/linux_os/guide/system/permissions/mounting/bios_assign_password.rule ++++ b/linux_os/guide/system/permissions/mounting/bios_assign_password.rule +@@ -22,3 +22,5 @@ severity: unknown + identifiers: + cce@rhel6: 27131-2 + cce@rhel7: 27194-0 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule +index 6f67dc5..7dcf2b7 100644 +--- a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule ++++ b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule +@@ -22,3 +22,5 @@ identifiers: + references: + disa: "1250" + nist: AC-19(a),AC-19(d),AC-19(e) ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule +index 25d6507..bb9c4ba 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule +@@ -22,3 +22,5 @@ references: + cis: 1.1.1.1 + cui: 3.4.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule +index 2b6718e..b4bbe6a 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule +@@ -22,3 +22,5 @@ references: + cis: 1.1.1.2 + cui: 3.4.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule +index 7bd3047..39cd1f9 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule +@@ -22,3 +22,5 @@ references: + cis: 1.1.1.4 + cui: 3.4.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule +index 313e5f9..a22bb32 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule +@@ -22,3 +22,5 @@ references: + cis: 1.1.1.5 + cui: 3.4.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule +index fdf7fb0..591acf1 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule +@@ -22,3 +22,5 @@ references: + cis: 1.1.1.3 + cui: 3.4.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule +index e9ddc44..6d83e36 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule +@@ -22,3 +22,5 @@ references: + cis: 1.1.1.6 + cui: 3.4.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule +index 6eb0d21..11c15e6 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule +@@ -22,3 +22,5 @@ references: + cis: 1.1.1.7 + cui: 3.4.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule +index 9a8431a..6db6855 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule +@@ -34,3 +34,5 @@ references: + stigid@rhel7: "020100" + + {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule +index 154c678..3094251 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule +@@ -19,3 +19,5 @@ identifiers: + references: + cis: 1.1.15 + nist: CM-7,MP-2 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule +index 4b2cde4..9cfa2cd 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule +@@ -24,3 +24,5 @@ identifiers: + references: + cis: 1.1.17 + nist: CM-7,MP-2 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule +index 91e10cb..9becb14 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule +@@ -23,3 +23,5 @@ identifiers: + references: + cis: 1.1.16 + nist: CM-7,MP-2 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule +index 6af13e5..055d5bc 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule +@@ -20,3 +20,5 @@ severity: unknown + + references: + cis: 1.1.14 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule +index 120f8c5..ee858ee 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule +@@ -23,3 +23,5 @@ references: + cis: 1.1.3 + nist: CM-7,MP-2 + stigid@rhel7: "021000" ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule +index 1766fce..b7f9c2b 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule +@@ -22,3 +22,5 @@ identifiers: + references: + cis: 1.1.11 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule +index f7ebfdb..71569a2 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule +@@ -27,3 +27,5 @@ identifiers: + references: + cis: 1.1.18 + nist: AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule +index 81724d0..0a8bcaf 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule +@@ -30,3 +30,5 @@ ocil: |- +
    $ grep -v noexec /etc/fstab
    + The resulting output will show partitions which do not have the noexec flag. Verify all partitions + in the output are not removable media. ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule +index 9b1a00b..72e2091 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule +@@ -29,3 +29,5 @@ references: + nist: AC-6,AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: "021010" ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule +index 783756f..8c84d15 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule +@@ -19,3 +19,5 @@ identifiers: + references: + cis: 1.1.3 + nist: CM-7,MP-2 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule +index 2a55a62..28160a9 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule +@@ -26,3 +26,5 @@ references: + disa@rhel6: '381' + cis: 1.1.5 + nist: CM-7,MP-2 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule +index c01746c..44248fa 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule +@@ -23,3 +23,5 @@ identifiers: + references: + cis: 1.1.4 + nist: CM-7,MP-2 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule +index 3281e0d..5d33657 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule +@@ -20,3 +20,5 @@ identifiers: + references: + cis: 1.1.6 + nist: CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule +index 4900ca1..33f6ffe 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule +@@ -14,3 +14,5 @@ severity: unknown + + references: + cis: 1.1.8 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule +index 2653ab6..c5a1fef 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule +@@ -18,3 +18,5 @@ severity: unknown + + references: + cis: 1.1.10 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule +index 72d59c4..8ec2761 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule +@@ -18,3 +18,5 @@ severity: unknown + + references: + cis: 1.1.9 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule +index 0454e0d..ed99f96 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule +@@ -25,3 +25,5 @@ references: + nist: SI-11 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.suid_dumpable", value="0") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule +index 3d3b169..9632025 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule +@@ -38,3 +38,5 @@ ocil: |- +
    $ sysctl kernel.exec-shield
    + The output should be: + {{{ describe_sysctl_option_value(sysctl="kernel.exec-shield", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule +index 6aba5c9..94ef5df 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule +@@ -26,3 +26,5 @@ references: + stigid: "040201" + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule +index 318f6b3..778d455 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule ++++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule +@@ -23,3 +23,5 @@ identifiers: + references: + cui: 3.1.7 + nist: CM-6(b) ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule +index 938b0c8..773f66f 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule ++++ b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule +@@ -39,3 +39,5 @@ warnings: + The kernel-PAE package should not be + installed on older systems that do not support the XD or NX bit, as + 8this may prevent them from booting.8 ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule +index eab021a..1574cc4 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule +@@ -21,3 +21,5 @@ references: + nist: SI-11 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled.rule b/linux_os/guide/system/selinux/docker_selinux_enabled.rule +index 400d66c..4cf537b 100644 +--- a/linux_os/guide/system/selinux/docker_selinux_enabled.rule ++++ b/linux_os/guide/system/selinux/docker_selinux_enabled.rule +@@ -23,3 +23,5 @@ severity: high + + identifiers: + cce@rhel7: 80442-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule b/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule +index 179955d..226d4bf 100644 +--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule ++++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule +@@ -29,3 +29,5 @@ references: + cui: 3.1.2,3.1.5,3.7.2 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) + nist: AC-6,AU-9,CM-7 ++ ++platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_policytype.rule b/linux_os/guide/system/selinux/selinux_policytype.rule +index 08b0fe0..c5048b5 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype.rule ++++ b/linux_os/guide/system/selinux/selinux_policytype.rule +@@ -48,3 +48,5 @@ ocil_clause: 'it does not' + ocil: |- + Check the file /etc/selinux/config and ensure the following line appears: +
    SELINUXTYPE=
    ++ ++platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_state.rule b/linux_os/guide/system/selinux/selinux_state.rule +index 2f4f1c5..3612c21 100644 +--- a/linux_os/guide/system/selinux/selinux_state.rule ++++ b/linux_os/guide/system/selinux/selinux_state.rule +@@ -39,3 +39,5 @@ ocil_clause: 'SELINUX is not set to enforcing' + ocil: |- + Check the file /etc/selinux/config and ensure the following line appears: +
    SELINUX=
    ++ ++platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule +index 1caa1e2..f4c47f6 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule +@@ -67,3 +67,5 @@ ocil: |- + " TYPE="crypto_LUKS" +

    + Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule +index d3c01f1..77d204a 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule +@@ -33,3 +33,5 @@ references: + stigid@rhel7: "021310" + + {{{ complete_ocil_entry_separate_partition(part="/home") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule +index 0c2c3d4..0297192 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule +@@ -32,3 +32,5 @@ references: + stigid@rhel7: "021340" + + {{{ complete_ocil_entry_separate_partition(part="/tmp") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule +index 5b57cec..234d08a 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule +@@ -34,3 +34,5 @@ references: + stigid@rhel7: "021320" + + {{{ complete_ocil_entry_separate_partition(part="/var") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule +index 451daa6..70ced03 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule +@@ -28,3 +28,5 @@ references: + nist: AU-9,SC-32 + + {{{ complete_ocil_entry_separate_partition(part="/var/log") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule +index e3b9238..632b1ff 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule +@@ -37,3 +37,5 @@ references: + stigid@rhel7: "021330" + + {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule +index 1beb3ff..ec180e2 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule +@@ -20,3 +20,5 @@ references: + cis: 1.1.7 + + {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule b/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule +index 9bd6a0b..604a8c6 100644 +--- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule ++++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule +@@ -26,3 +26,5 @@ ocil: |- + system-db:local + system-db:site + system-db:distro ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule +index 860a2c9..4bea499 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule +@@ -32,3 +32,5 @@ ocil: |- + To ensure that users cannot enable disable and restart on the login screen, run the following: +
    $ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/*
    + If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule +index 504c187..450c9b5 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule +@@ -28,3 +28,5 @@ ocil: |- + To ensure that users cannot enable displaying the user list, run the following: +
    $ grep disable-user-list /etc/dconf/db/gdm.d/locks/*
    + If properly configured, the output should be /org/gnome/login-screen/disable-user-list ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule +index 176b811..690f330 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule +@@ -44,3 +44,5 @@ ocil: |- + To ensure that users cannot disable smart card authentication on the login screen, run the following: +
    $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/*
    + If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule +index 8297e04..4631a4e 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule +@@ -31,3 +31,5 @@ ocil: |- + number of failures on the login screen, run the following: +
    $ grep allowed-failures /etc/dconf/db/gdm.d/locks/*
    + If properly configured, the output should be /org/gnome/login-screen/allowed-failures ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule +index 7170686..62e6d7e 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule +@@ -38,3 +38,5 @@ ocil: |- + The output should show the following: +
    [daemon]
    +     AutomaticLoginEnable=false
    ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule +index 6390e10..dd13252 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule +@@ -38,3 +38,5 @@ ocil: |- + The output should show the following: +
    [daemon]
    +     TimedLoginEnable=false
    ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule +index b3cfbcd..75422b0 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule +@@ -53,3 +53,5 @@ ocil: |- + If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount + If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/auto-open + If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule +index 6b1fd19..bfbfe01 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule +@@ -45,3 +45,5 @@ ocil: |- + To ensure that users cannot how long until the the screensaver locks, run the following: +
    $ grep disable-all /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule +index 0478e57..37ed712 100644 +--- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule ++++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule +@@ -40,3 +40,5 @@ ocil: |- +
    $ grep wifi-create /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/nm-applet/disable-wifi-create ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule +index 04867c8..e704c6e 100644 +--- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule ++++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule +@@ -42,3 +42,5 @@ ocil: |- +
    $ grep wireless-networks-available /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/nm-applet/suppress-wireless-networks-available ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule +index f2603b6..9891ea5 100644 +--- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule ++++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule +@@ -41,3 +41,5 @@ ocil: |- +
    $ grep authentication-methods /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/Vino/authentication-methods ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule +index e9a8b35..bda2f5c 100644 +--- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule ++++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule +@@ -45,3 +45,5 @@ ocil: |- +
    $ grep require-encryption /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/Vino/require-encryption ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule +index 736bca4..ac5a8cb 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule +@@ -43,3 +43,5 @@ ocil: |- + To ensure that users cannot disable the screensaver idle inactivity setting, run the following: +
    $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule +index fb02c5b..21d6261 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule +@@ -50,3 +50,5 @@ ocil: |- + To ensure that users cannot change the screensaver inactivity timeout setting, run the following: +
    $ grep idle-delay /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be /org/gnome/desktop/session/idle-delay ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule +index dd8f391..aa55f86 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule +@@ -34,3 +34,5 @@ ocil: |- + To ensure that users cannot change how long until the the screensaver locks, run the following: +
    $ grep lock-delay /etc/dconf/db/local.d/locks/*
    + If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delay ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule +index b337b44..ba2f4e9 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule +@@ -45,3 +45,5 @@ ocil: |- + To ensure that users cannot change how long until the the screensaver locks, run the following: +
    $ grep lock-enabled /etc/dconf/db/local.d/locks/*
    + If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule +index f75dd46..a7e32c9 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule +@@ -44,3 +44,5 @@ ocil: |- + To ensure that users cannot set the screensaver background, run the following: +
    $ grep picture-uri /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule +index acf6d64..80fd5e1 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule +@@ -40,3 +40,5 @@ ocil: |- + To ensure that users cannot enable user name on the lock screen, run the following: +
    $ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule +index 1459ef1..1d0c897 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule +@@ -39,3 +39,5 @@ ocil: |- +
    $ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should return: + /org/gnome/desktop/screensaver/lock-delay ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule +index b467e33..895cfc4 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule +@@ -39,3 +39,5 @@ ocil: |- +
    $ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should return: + /org/gnome/desktop/session/idle-delay ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule +index a6eac82..557d1d5 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule +@@ -35,3 +35,5 @@ ocil: |- +
    $ grep logout /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/settings-daemon/plugins/media-keys/logout ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule +index 29287df..e7d1377 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule +@@ -27,3 +27,5 @@ ocil: |- +
    $ grep location /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule +index 45732fc..bed548f 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule +@@ -39,3 +39,5 @@ ocil: |- +
    $ grep power /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/settings-daemon/plugins/power/active ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule +index a152d85..0ab59df 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule +@@ -45,3 +45,5 @@ ocil: |- +
    $ grep user-administration /etc/dconf/db/local.d/locks/*
    + If properly configured, the output should be + /org/gnome/desktop/lockdown/user-administration-disabled ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule +index 95e9e56..8258357 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule +@@ -49,3 +49,5 @@ ocil: |- + To check on the age of uvscan virus definition files, run the following command: +
    $ sudo cd /opt/NAI/LinuxShield/engine/dat
    +     $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat
    ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule +index 86b4b02..c46e88e 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule +@@ -43,3 +43,5 @@ warnings: + detection tools, such as the McAfee Host-based Security System, are available + to integrate with existing infrastructure. When these supplemental tools + interfere with proper functioning of SELinux, SELinux takes precedence. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule +index 189e338..0c65b39 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule +@@ -36,3 +36,5 @@ warnings: + - general: |- + Due to McAfee HIPS being 3rd party software, automated + remediation is not available for this configuration check. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule +index a88c025..bc7dfc7 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule +@@ -27,3 +27,5 @@ ocil: |- + To check on the age of McAfee virus definition files, run the following command: +
    $ sudo cd /opt/NAI/LinuxShield/engine/dat
    +     $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat
    ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule +index ee96935..f68e59e 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule +@@ -24,3 +24,5 @@ references: + srg: SRG-OS-000480-GPOS-00227 + + ocil: '{{{ ocil_service_enabled(service="nails") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule +index 4f70107..c1223d6 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule +@@ -60,3 +60,5 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule +index 5573351..1a29bac 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule +@@ -56,3 +56,5 @@ ocil: |- +
    05 4 * * * root /usr/sbin/aide --check
    + + NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. ++ ++platform: machine diff --git a/SOURCES/scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch b/SOURCES/scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch new file mode 100644 index 0000000..0508a9c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch @@ -0,0 +1,334 @@ +commit 7a1fe8125480948e4a15db51b723436da6cd3a7a +Author: Gabriel Becker +Date: Fri Apr 5 09:48:15 2019 +0200 + + Backport files so machine only tests can run. + +diff --git a/example/product.yml b/example/product.yml +new file mode 100644 +index 0000000..32538fa +--- /dev/null ++++ b/example/product.yml +@@ -0,0 +1,13 @@ ++product: example ++full_name: Example ++type: platform ++ ++benchmark_root: "../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++ ++init_system: "systemd" ++ ++cpes: [] +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule +index 61bde4d..355fca0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule +@@ -34,3 +34,5 @@ warnings: + have been placed independent of other system calls. Grouping system calls related + to the same event is more efficient. See the following example: +
    -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
    ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml +index 5ea9fee..e052243 100644 +--- a/linux_os/guide/system/auditing/group.yml ++++ b/linux_os/guide/system/auditing/group.yml +@@ -101,3 +101,5 @@ description: |- + the process, which in this case, is exe="/usr/sbin/httpd". + + ++ ++platform: machine +diff --git a/ssg/constants.py b/ssg/constants.py +index 9bef085..da36007 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -4,6 +4,10 @@ from __future__ import print_function + import datetime + import os.path + ++product_directories = ['debian8', 'fedora', 'ol7', 'opensuse', 'rhel6', ++ 'rhel7', 'sle11', 'sle12', 'ubuntu1404', ++ 'ubuntu1604', 'wrlinux', 'rhel-osp7', 'chromium', ++ 'eap6', 'firefox', 'fuse6', 'jre', 'example'] + + JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname( + __file__)), "shared", "macros.jinja") +@@ -68,6 +72,11 @@ PKG_MANAGER_TO_SYSTEM = { + "apt_get": "dpkg", + } + ++PKG_MANAGER_TO_CONFIG_FILE = { ++ "yum": "/etc/yum.conf", ++ "dnf": "/etc/dnf/dnf.conf", ++} ++ + RHEL_CENTOS_CPE_MAPPING = { + "cpe:/o:redhat:enterprise_linux:6": "cpe:/o:centos:centos:6", + "cpe:/o:redhat:enterprise_linux:7": "cpe:/o:centos:centos:7", + +commit 6c91ac3b8fbeebe7e8eeabddbf0430f66bd59a0e +Author: Gabriel Becker +Date: Thu Apr 4 17:38:28 2019 +0200 + + Backport of platform support from https://github.com/ComplianceAsCode/content/pull/3576. + +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index ea6ffbe..7520a7c 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -6,6 +6,7 @@ import os.path + import datetime + import sys + ++from .constants import XCCDF_PLATFORM_TO_CPE + from .checks import is_cce_valid + from .yaml import open_and_expand, open_and_macro_expand + from .utils import required_key +@@ -382,6 +383,7 @@ class Group(object): + self.values = {} + self.groups = {} + self.rules = {} ++ self.platform = None + + @staticmethod + def from_yaml(yaml_file, env_yaml=None): +@@ -397,6 +399,7 @@ class Group(object): + group.description = required_key(yaml_contents, "description") + del yaml_contents["description"] + group.warnings = yaml_contents.pop("warnings", []) ++ group.platform = yaml_contents.pop("platform", None) + + for warning_list in group.warnings: + if len(warning_list) != 1: +@@ -418,6 +421,14 @@ class Group(object): + add_sub_element(group, 'description', self.description) + add_warning_elements(group, self.warnings) + ++ if self.platform: ++ platform_el = ET.SubElement(group, "platform") ++ try: ++ platform_cpe = XCCDF_PLATFORM_TO_CPE[self.platform] ++ except KeyError: ++ raise ValueError("Unsupported platform '%s' in rule '%s'." % (self.platform, self.id_)) ++ platform_el.set("idref", platform_cpe) ++ + for _value in self.values.values(): + group.append(_value.to_xml_element()) + for _group in self.groups.values(): +@@ -440,11 +451,15 @@ class Group(object): + def add_group(self, group): + if group is None: + return ++ if self.platform and not group.platform: ++ group.platform = self.platform + self.groups[group.id_] = group + + def add_rule(self, rule): + if rule is None: + return ++ if self.platform and not rule.platform: ++ rule.platform = self.platform + self.rules[rule.id_] = rule + + def __str__(self): +@@ -467,6 +482,7 @@ class Rule(object): + self.ocil = None + self.external_oval = None + self.warnings = [] ++ self.platform = None + + @staticmethod + def from_yaml(yaml_file, env_yaml=None): +@@ -491,6 +507,7 @@ class Rule(object): + rule.ocil = yaml_contents.pop("ocil", None) + rule.external_oval = yaml_contents.pop("oval_external_content", None) + rule.warnings = yaml_contents.pop("warnings", []) ++ rule.platform = yaml_contents.pop("platform", None) + + for warning_list in rule.warnings: + if len(warning_list) != 1: +@@ -594,6 +611,14 @@ class Rule(object): + + add_warning_elements(rule, self.warnings) + ++ if self.platform: ++ platform_el = ET.SubElement(rule, "platform") ++ try: ++ platform_cpe = XCCDF_PLATFORM_TO_CPE[self.platform] ++ except KeyError: ++ raise ValueError("Unsupported platform '%s' in rule '%s'." % (self.platform, self.id_)) ++ platform_el.set("idref", platform_cpe) ++ + return rule + + def to_file(self, file_name): +@@ -663,6 +688,8 @@ def add_from_directory(action, parent_group, guide_directory, profiles_dir, + profiles_dir, env_yaml, bash_remediation_fns) + + if group is not None: ++ if parent_group: ++ parent_group.add_group(group) + for value_yaml in values: + if action == "list-inputs": + print(value_yaml) +@@ -682,9 +709,7 @@ def add_from_directory(action, parent_group, guide_directory, profiles_dir, + rule = Rule.from_yaml(rule_yaml, env_yaml) + group.add_rule(rule) + +- if parent_group: +- parent_group.add_group(group) +- else: ++ if not parent_group: + # We are on the top level! + # Lets dump the XCCDF group or benchmark to a file + if action == "build": +diff --git a/ssg/constants.py b/ssg/constants.py +index 54e5d61..9bef085 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -194,5 +194,10 @@ OCILREFATTR_TO_TAG = { + "question_ref": "question", + } + ++XCCDF_PLATFORM_TO_CPE = { ++ "machine": "cpe:/a:machine", ++ "container": "cpe:/a:container" ++} ++ + # Application constants + DEFAULT_UID_MIN = 1000 +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 5b791a2..ecaa6dc 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -31,3 +31,8 @@ add_test( + NAME "max-path-len" + COMMAND "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/ensure_paths_are_short.py" + ) ++ ++add_test( ++ NAME "machine-only-rules" ++ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_machine_only_rules.py" --source_dir "${CMAKE_SOURCE_DIR}" --build_dir "${CMAKE_BINARY_DIR}" ++) +diff --git a/tests/test_machine_only_rules.py b/tests/test_machine_only_rules.py +new file mode 100644 +index 0000000..94a2e4e +--- /dev/null ++++ b/tests/test_machine_only_rules.py +@@ -0,0 +1,111 @@ ++#!/usr/bin/python3 ++ ++import os ++import argparse ++import xml.etree.ElementTree as ET ++import sys ++import ssg.constants ++import ssg.yaml ++ ++machine_cpe = "cpe:/a:machine" ++ ++ ++def main(): ++ args = parse_command_line_args() ++ for product in ssg.constants.product_directories: ++ product_dir = os.path.join(args.source_dir, product) ++ product_yaml_path = os.path.join(product_dir, "product.yml") ++ product_yaml = ssg.yaml.open_raw(product_yaml_path) ++ guide_dir = os.path.abspath( ++ os.path.join(product_dir, product_yaml['benchmark_root'])) ++ if not check_product(args.build_dir, product, guide_dir): ++ sys.exit(1) ++ ++ ++def check_product(build_dir, product, guide_dir): ++ input_groups, input_rules = scan_rules_groups(guide_dir, False) ++ ds_path = os.path.join(build_dir, "ssg-" + product + "-ds.xml") ++ if not check_ds(ds_path, "groups", input_groups): ++ return False ++ return True ++ ++ ++def check_ds(ds_path, what, input_elems): ++ try: ++ tree = ET.parse(ds_path) ++ except IOError as e: ++ sys.stderr.write("The product datastream '%s' hasn't been build, " ++ "skipping the test." % (ds_path)) ++ return True ++ root = tree.getroot() ++ if what == "groups": ++ replacement = "xccdf_org.ssgproject.content_group_" ++ xpath_query = ".//{%s}Group" % ssg.constants.XCCDF12_NS ++ if what == "rules": ++ replacement = "xccdf_org.ssgproject.content_rule_" ++ xpath_query = ".//{%s}Rule" % ssg.constants.XCCDF12_NS ++ benchmark = root.find(".//{%s}Benchmark" % ssg.constants.XCCDF12_NS) ++ for elem in benchmark.findall(xpath_query): ++ elem_id = elem.get("id") ++ elem_short_id = elem_id.replace(replacement, "") ++ if elem_short_id not in input_elems: ++ continue ++ platforms = elem.findall("{%s}platform" % ssg.constants.XCCDF12_NS) ++ machine_platform = False ++ for p in platforms: ++ idref = p.get("idref") ++ if idref == machine_cpe: ++ machine_platform = True ++ if not machine_platform: ++ sys.stderr.write("%s %s in %s is missing element" % ++ (what, elem_short_id, ds_path)) ++ return False ++ return True ++ ++ ++def parse_command_line_args(): ++ parser = argparse.ArgumentParser( ++ description="Tests if 'machine' CPEs are " ++ "propagated to the built datastream") ++ parser.add_argument("--source_dir", required=True, ++ help="Content source directory path") ++ parser.add_argument("--build_dir", required=True, ++ help="Build directory containing built datastreams") ++ args = parser.parse_args() ++ return args ++ ++ ++def check_if_machine_only(dirpath, name, is_machine_only_group): ++ if name in os.listdir(dirpath): ++ if is_machine_only_group: ++ return True ++ yml_path = os.path.join(dirpath, name) ++ with open(yml_path, "r") as yml_file: ++ yml_file_contents = yml_file.read() ++ if "platform: machine" in yml_file_contents: ++ return True ++ return False ++ ++ ++def scan_rules_groups(dirpath, parent_machine_only): ++ groups = set() ++ rules = set() ++ name = os.path.basename(dirpath) ++ is_machine_only = False ++ if check_if_machine_only(dirpath, "group.yml", parent_machine_only): ++ groups.add(name) ++ is_machine_only = True ++ if check_if_machine_only(dirpath, "rule.yml", parent_machine_only): ++ rules.add(name) ++ for dir_item in os.listdir(dirpath): ++ subdir_path = os.path.join(dirpath, dir_item) ++ if os.path.isdir(subdir_path): ++ subdir_groups, subdir_rules = scan_rules_groups( ++ subdir_path, is_machine_only) ++ groups |= subdir_groups ++ rules |= subdir_rules ++ return groups, rules ++ ++ ++if __name__ == "__main__": ++ main() diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-gdm.patch b/SOURCES/scap-security-guide-0.1.44-cpe-gdm.patch new file mode 100644 index 0000000..6c09f2e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-cpe-gdm.patch @@ -0,0 +1,105 @@ +From 2e3cd7e8930b2456cbc6e182aa9a9f700ea9fa69 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Apr 2019 15:41:56 +0200 +Subject: [PATCH] Add GDM CPE and mark GNOME group + +--- + .../gui_login_banner/group.yml | 2 + + .../guide/system/software/gnome/group.yml | 2 + + rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++ + .../oval/installed_env_has_gdm_package.xml | 37 +++++++++++++++++++ + ssg/constants.py | 1 + + 5 files changed, 47 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_gdm_package.xml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml +index 3ee83be305..006177b16e 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml +@@ -9,3 +9,5 @@ description: |- + displayed in this graphical environment for these users. + The following sections describe how to configure the GDM login + banner. ++ ++platform: gdm +diff --git a/linux_os/guide/system/software/gnome/group.yml b/linux_os/guide/system/software/gnome/group.yml +index 914431adb1..54d9dc547a 100644 +--- a/linux_os/guide/system/software/gnome/group.yml ++++ b/linux_os/guide/system/software/gnome/group.yml +@@ -12,3 +12,5 @@ description: |- + Red Hat Graphical environment. +

    + For more information on GNOME and the GNOME Project, see {{{ weblink(link="https://www.gnome.org") }}}. ++ ++platform: gdm +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index d64c18e846..b6bc8b4e53 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -47,6 +47,11 @@ + + installed_env_is_a_machine + ++ ++ Package gdm is installed ++ ++ installed_env_has_gdm_package ++ + + Package libuser is installed + +diff --git a/shared/checks/oval/installed_env_has_gdm_package.xml b/shared/checks/oval/installed_env_has_gdm_package.xml +new file mode 100644 +index 0000000000..57fb7a655c +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_gdm_package.xml +@@ -0,0 +1,37 @@ ++ ++ ++ ++ Package gdm is installed ++ ++ multi_platform_all ++ ++ Checks if package gdm is installed. ++ ++ ++ ++ ++ ++ ++ ++{{% if pkg_system == "rpm" %}} ++ ++ ++ ++ ++ gdm ++ ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ gdm ++ ++{{% endif %}} ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index 94d9d8c180..6e4fd3c741 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -376,6 +376,7 @@ + XCCDF_PLATFORM_TO_CPE = { + "machine": "cpe:/a:machine", + "container": "cpe:/a:container", ++ "gdm": "cpe:/a:gdm", + "libuser": "cpe:/a:libuser", + "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", + "pam": "cpe:/a:pam", diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch b/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch new file mode 100644 index 0000000..26d66d3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch @@ -0,0 +1,831 @@ +From 32caed89b5cf14f86e5d842569c4f73cdae6ed26 Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Wed, 3 Apr 2019 16:49:38 -0400 +Subject: [PATCH 01/11] create PAM package CPE + +--- + .../oval/installed_env_has_pam_package.xml | 25 +++++++++++++++++++ + 1 file changed, 25 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_pam_package.xml + +diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml +new file mode 100644 +index 0000000000..b6376575b2 +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_pam_package.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ ++ Package pam is installed ++ ++ multi_platform_all ++ ++ Checks if package pam is installed. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ pam ++ ++ ++ + +From 213a472a89b3b591a4fd441bcf0f0f3ba633afe3 Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Wed, 3 Apr 2019 16:49:53 -0400 +Subject: [PATCH 02/11] add PAM CPE to constants + +--- + ssg/constants.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssg/constants.py b/ssg/constants.py +index f96fd51790..e87eb7f43c 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -376,6 +376,7 @@ + XCCDF_PLATFORM_TO_CPE = { + "machine": "cpe:/a:machine", + "container": "cpe:/a:container", ++ "pam": "cpe:/a:pam", + "shadow-utils": "cpe:/a:shadow-utils", + } + + +From 6afde50cf7a4a75829ed092c8e30116df7a99601 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 8 Apr 2019 15:43:04 +0200 +Subject: [PATCH 03/11] Update rules for PAM CPE check + +--- + .../accounts_password_pam_dcredit.rule | 2 ++ + .../accounts_password_pam_difok.rule | 2 ++ + .../accounts_password_pam_maxclassrepeat.rule | 2 ++ + .../accounts_password_pam_minclass.rule | 2 ++ + .../accounts_password_pam_minlen.rule | 2 ++ + .../accounts_max_concurrent_login_sessions.rule | 2 ++ + 6 files changed, 12 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule +index 72fc5970ea..fe997d97c8 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule +@@ -52,3 +52,5 @@ ocil: |- +
    $ grep dcredit /etc/security/pwquality.conf
    + The dcredit parameter (as a negative number) will indicate how many digits are required. + The DoD requires at least one digit in a password. This would appear as dcredit = -1. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule +index 931f0aa9e4..d1855a2cf4 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule +@@ -53,3 +53,5 @@ ocil: |- + To check how many characters must differ during a password change, run the following command: +
    $ grep difok /etc/security/pwquality.conf
    + The difok parameter will indicate how many characters must differ. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule +index 35de1318d5..d964a5e3ea 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule +@@ -43,3 +43,5 @@ ocil: |- + To check the value for maximum consecutive repeating characters, run the following command: +
    $ grep maxclassrepeat /etc/security/pwquality.conf
    + For DoD systems, the output should show maxclassrepeat=4. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule +index 7f99aba143..dc3377de0b 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule +@@ -60,3 +60,5 @@ ocil: |- + The minclass parameter will indicate how many character classes must be used. If + the requirement was for the password to contain characters from three different categories, + then this would appear as minclass = 3. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule +index d6462579fe..0799aecf01 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule +@@ -49,3 +49,5 @@ ocil: |- + To check how many characters are required in a password, run the following command: +
    $ grep minlen /etc/security/pwquality.conf
    + Your output should contain minlen = ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule +index bd53c19c08..f9d9a08706 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule +@@ -45,3 +45,5 @@ + ocil_clause: 'maxlogins is not equal to or less than the expected value' + + ocil: "Run the following command to ensure the maxlogins value is configured for all users\non the system:\n
    # grep \"maxlogins\" /etc/security/limits.conf
    \nYou should receive output similar to the following:\n
    *\t\thard\tmaxlogins\t
    " ++ ++platform: pam + +From 351ee6945df37a28cc4f4589b17eb4c35066b00b Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Wed, 3 Apr 2019 17:17:40 -0400 +Subject: [PATCH 04/11] add libuser CPE + +--- + .../installed_env_has_libuser_package.xml | 24 +++++++++++++++++++ + 1 file changed, 24 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_libuser_package.xml + +diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml +new file mode 100644 +index 0000000000..ee79b19f8a +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_libuser_package.xml +@@ -0,0 +1,24 @@ ++ ++ ++ ++ Package libuser is installed ++ ++ multi_platform_all ++ ++ Checks if package libuser is installed. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ libuser ++ ++ ++ + +From e0b2db79f718b2f64ec25c39f01b53d4e9a80b00 Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Wed, 3 Apr 2019 17:17:50 -0400 +Subject: [PATCH 05/11] add systemd CPE + +--- + .../installed_env_has_systemd_package.xml | 24 +++++++++++++++++++ + 1 file changed, 24 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_systemd_package.xml + +diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml +new file mode 100644 +index 0000000000..99706ee1c6 +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_systemd_package.xml +@@ -0,0 +1,24 @@ ++ ++ ++ ++ Package systemd is installed ++ ++ multi_platform_all ++ ++ Checks if package systemd is installed. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ systemd ++ ++ ++ + +From 2ec6e5654ef63232c973d91cdee6f8eb9156eb9b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 8 Apr 2019 15:45:01 +0200 +Subject: [PATCH 06/11] Update rules with package CPEs + +--- + .../accounts/accounts-pam/display_login_attempts.rule | 2 ++ + .../accounts_password_pam_unix_remember.rule | 2 ++ + .../accounts_passwords_pam_faillock_deny.rule | 2 ++ + .../accounts_passwords_pam_faillock_deny_root.rule | 2 ++ + .../accounts_passwords_pam_faillock_interval.rule | 2 ++ + .../accounts_passwords_pam_faillock_unlock_time.rule | 2 ++ + .../accounts_password_pam_lcredit.rule | 2 ++ + .../accounts_password_pam_ocredit.rule | 2 ++ + .../accounts_password_pam_retry.rule | 2 ++ + .../accounts_password_pam_ucredit.rule | 2 ++ + .../set_password_hashing_algorithm_libuserconf.rule | 2 ++ + .../set_password_hashing_algorithm_logindefs.rule | 2 ++ + .../set_password_hashing_algorithm_systemauth.rule | 2 ++ + .../accounts-physical/disable_ctrlaltdel_burstaction.rule | 2 ++ + .../user_umask/accounts_umask_etc_login_defs.rule | 2 ++ + ssg/constants.py | 2 ++ + 16 files changed, 32 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule +index 5c2287a4d3..baeece4b59 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule +@@ -47,3 +47,5 @@ ocil: |- + the following command: +
    $ grep pam_lastlog.so /etc/pam.d/postlogin
    + The output should show output showfailed. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule +index dcde239e85..a63e0e6d1d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule +@@ -56,3 +56,5 @@ ocil: |- +
    $ grep remember /etc/pam.d/system-auth
    + The output should show the following at the end of the line: +
    remember=
    ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule +index c8147e7c17..e10b0a1b67 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule +@@ -56,3 +56,5 @@ ocil: |- + To ensure the failed password attempt policy is configured correctly, run the following command: +
    $ grep pam_faillock /etc/pam.d/system-auth
    + The output should show deny=. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule +index b5283b052e..b4c4df7186 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule +@@ -50,3 +50,5 @@ ocil: |- + attempts, run the following command: +
    $ grep even_deny_root /etc/pam.d/system-auth
    + The output should show even_deny_root. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule +index 485fb7970d..ac21fe4c81 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule +@@ -65,3 +65,5 @@ + ocil_clause: 'fail_interval is less than the required value' + + ocil: "To ensure the failed password attempt policy is configured correctly, run the following command:\n
    $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
    \nFor each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is \n or greater. \nIf the fail_interval parameter is not set, the default setting of 900 seconds is acceptable." ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule +index 9abd02feea..f4bfaec622 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule +@@ -59,3 +59,5 @@ ocil: |- + To ensure the failed password attempt policy is configured correctly, run the following command: +
    $ grep pam_faillock /etc/pam.d/system-auth
    + The output should show unlock_time=<some-large-number> or never. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule +index ba0be4ebeb..21d86585ed 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule +@@ -51,3 +51,5 @@ ocil: |- +
    $ grep lcredit /etc/security/pwquality.conf
    + The lcredit parameter (as a negative number) will indicate how many special characters are required. + The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule +index c39cc2a09b..d7f7083d27 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule +@@ -53,3 +53,5 @@ ocil: |- + The ocredit parameter (as a negative number) will indicate how many special characters are required. + The DoD and FISMA require at least one special character in a password. + This would appear as ocredit = -1. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule +index c0f8ed8d6d..fea35e37a3 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule +@@ -46,3 +46,5 @@ ocil: |- + The retry parameter will indicate how many attempts are permitted. + The DoD required value is less than or equal to 3. + This would appear as retry=3, or a lower value. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule +index 2222ac2297..a4ecdf969d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule +@@ -50,3 +50,5 @@ ocil: |- + The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. + The DoD and FISMA require at least one uppercase character in a password. + This would appear as ucredit = -1. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule +index 0f6cf57e57..397bad4ea6 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule +@@ -55,3 +55,5 @@ ocil: |- + Inspect /etc/libuser.conf and ensure the following line appears + in the [default] section: +
    crypt_style = sha512
    ++ ++platform: libuser +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule +index a23a7863c9..84212c7648 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule +@@ -47,3 +47,5 @@ ocil_clause: 'it does not' + ocil: |- + Inspect /etc/login.defs and ensure the following line appears: +
    ENCRYPT_METHOD SHA512
    ++ ++platform: shadow-utils +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule +index 070e65fc3a..48e8ac427d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule +@@ -65,3 +65,5 @@ ocil: |- + ensure that the pam_unix.so module includes the argument + sha512: +
    $ grep sha512 /etc/pam.d/system-auth
    ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule +index e215a41a91..d68bf2be38 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule +@@ -53,3 +53,5 @@ warnings: + key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The + Ctrl-Alt-Del key sequence will only be disabled if running in + the non-graphical runlevel 3. ++ ++platform: systemd +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule +index e9e327352b..a087ca8f6a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule +@@ -41,3 +41,5 @@ ocil: |- + All output must show the value of umask set as shown in the below: +
    # grep -i "UMASK" /etc/login.defs
    +     umask 
    ++ ++platform: shadow-utils +diff --git a/ssg/constants.py b/ssg/constants.py +index e87eb7f43c..8b3a792f10 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -376,8 +376,10 @@ + XCCDF_PLATFORM_TO_CPE = { + "machine": "cpe:/a:machine", + "container": "cpe:/a:container", ++ "libuser": "cpe:/a:libuser", + "pam": "cpe:/a:pam", + "shadow-utils": "cpe:/a:shadow-utils", ++ "systemd": "cpe:/a:systemd", + } + + # Application constants + +From e884c6f090bf4a7963721b4948f18b05193cc0bb Mon Sep 17 00:00:00 2001 +From: Shawn Wells +Date: Wed, 3 Apr 2019 17:45:31 -0400 +Subject: [PATCH 07/11] Update LDAP check to evaluate for nss-pam-ldapd CPE + +--- + .../ldap_client_start_tls.rule | 2 ++ + ...nstalled_env_has_nss-pam-ldapd_package.xml | 24 +++++++++++++++++++ + ssg/constants.py | 1 + + 3 files changed, 27 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml + +diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule +index c4839d7de5..22a9fd60d9 100644 +--- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule ++++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule +@@ -48,3 +48,5 @@ ocil: |- +
    $ grep start_tls /etc/pam_ldap.conf
    + The result should contain: +
    ssl start_tls
    ++ ++platform: nss-pam-ldapd +diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml +new file mode 100644 +index 0000000000..0637e4a64e +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml +@@ -0,0 +1,24 @@ ++ ++ ++ ++ Package nss-pam-ldapd is installed ++ ++ multi_platform_all ++ ++ Checks if package nss-pam-ldapd is installed. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ nss-pam-ldapd ++ ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index 8b3a792f10..8d7a4cc290 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -377,6 +377,7 @@ + "machine": "cpe:/a:machine", + "container": "cpe:/a:container", + "libuser": "cpe:/a:libuser", ++ "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", + "pam": "cpe:/a:pam", + "shadow-utils": "cpe:/a:shadow-utils", + "systemd": "cpe:/a:systemd", + +From 7cbbe94a051f3978592edb207b5fb178fd6d0e2f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 8 Apr 2019 15:55:08 +0200 +Subject: [PATCH 08/11] Update FIPS checks to evaluate if in machine + environment + +--- + .../integrity/fips/grub_legacy_enable_fips_mode.rule | 2 ++ + .../integrity/fips/package_dracut-fips_installed.rule | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule +index f112bddacd..6761b8736d 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule ++++ b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule +@@ -50,3 +50,5 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule +index c1f6e515e6..055ec8f774 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule +@@ -37,3 +37,5 @@ references: + ocil_clause: 'the package is not installed' + + ocil: '{{{ ocil_package(package="dracut-fips") }}}' ++ ++platform: machine + +From 86704595eb3500a8ef15f5fc0c1412d000c201d1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 8 Apr 2019 16:15:45 +0200 +Subject: [PATCH 09/11] Update CPE package check to handle deb packages + +--- + .../oval/installed_env_has_libuser_package.xml | 15 ++++++++++++++- + .../installed_env_has_nss-pam-ldapd_package.xml | 15 ++++++++++++++- + .../checks/oval/installed_env_has_pam_package.xml | 15 ++++++++++++++- + .../installed_env_has_shadow-utils_package.xml | 15 ++++++++++++++- + .../oval/installed_env_has_systemd_package.xml | 15 ++++++++++++++- + 5 files changed, 70 insertions(+), 5 deletions(-) + +diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml +index ee79b19f8a..b848337b0e 100644 +--- a/shared/checks/oval/installed_env_has_libuser_package.xml ++++ b/shared/checks/oval/installed_env_has_libuser_package.xml +@@ -14,11 +14,24 @@ + + + +- ++{{% if pkg_system == "rpm" %}} ++ + + + + libuser + ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ libuser ++ ++{{% endif %}} + + +diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml +index 0637e4a64e..748f68f60f 100644 +--- a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml ++++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml +@@ -14,11 +14,24 @@ + + + +- ++{{% if pkg_system == "rpm" %}} ++ + + + + nss-pam-ldapd + ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ nss-pam-ldapd ++ ++{{% endif %}} + + +diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml +index b6376575b2..dee3bcd26f 100644 +--- a/shared/checks/oval/installed_env_has_pam_package.xml ++++ b/shared/checks/oval/installed_env_has_pam_package.xml +@@ -15,11 +15,24 @@ + + + +- ++{{% if pkg_system == "rpm" %}} ++ + + + + pam + ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ pam ++ ++{{% endif %}} + + +diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml +index 12dd5bd565..11f40a324f 100644 +--- a/shared/checks/oval/installed_env_has_shadow-utils_package.xml ++++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml +@@ -14,11 +14,24 @@ + + + +- ++{{% if pkg_system == "rpm" %}} ++ + + + + shadow-utils + ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ shadow-utils ++ ++{{% endif %}} + + +diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml +index 99706ee1c6..2dfdff10cc 100644 +--- a/shared/checks/oval/installed_env_has_systemd_package.xml ++++ b/shared/checks/oval/installed_env_has_systemd_package.xml +@@ -14,11 +14,24 @@ + + + +- ++{{% if pkg_system == "rpm" %}} ++ + + + + systemd + ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ systemd ++ ++{{% endif %}} + + + +From d8dfd5c10412bc3ecd180325c4a1cc997e6e2b8f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 8 Apr 2019 16:25:27 +0200 +Subject: [PATCH 10/11] Add yum CPE and update rules plaforms + +--- + .../clean_components_post_updating.rule | 2 + + ....rule | 2 + + .../ensure_gpgcheck_local_packages.rule | 2 + + .../ensure_gpgcheck_repo_metadata.rule | 2 + + .../oval/installed_env_has_yum_package.xml | 37 +++++++++++++++++++ + ssg/constants.py | 1 + + 6 files changed, 46 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_yum_package.xml + +diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating.rule b/linux_os/guide/system/software/updating/clean_components_post_updating.rule +index d5f0756c2a..9bbcadea11 100644 +--- a/linux_os/guide/system/software/updating/clean_components_post_updating.rule ++++ b/linux_os/guide/system/software/updating/clean_components_post_updating.rule +@@ -40,3 +40,5 @@ ocil: |- +
    $ grep clean_requirements_on_remove /etc/yum.conf
    + The output should return something similar to: +
    clean_requirements_on_remove=1
    ++ ++platform: yum +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule +index 73e29ae1a5..b19e178026 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule +@@ -67,3 +67,5 @@ ocil: |- + A value of 1 indicates that gpgcheck is enabled. Absence of a + gpgcheck line or a setting of 0 indicates that it is + disabled. ++ ++platform: yum +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule +index 7d94688af4..d1ffba4d4e 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule +@@ -47,3 +47,5 @@ ocil: |- +
    $ grep localpkg_gpgcheck /etc/yum.conf
    + The output should return something similar to: +
    localpkg_gpgcheck=1
    ++ ++platform: yum +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule +index aa3aa83f70..4f8a76652c 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule +@@ -55,3 +55,5 @@ ocil: |- +
    $ grep repo_gpgcheck /etc/yum.conf
    + The output should return something similar to: +
    repo_gpgcheck=1
    ++ ++platform: yum +diff --git a/shared/checks/oval/installed_env_has_yum_package.xml b/shared/checks/oval/installed_env_has_yum_package.xml +new file mode 100644 +index 0000000000..916d568062 +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_yum_package.xml +@@ -0,0 +1,37 @@ ++ ++ ++ ++ Package yum is installed ++ ++ multi_platform_all ++ ++ Checks if package yum is installed. ++ ++ ++ ++ ++ ++ ++ ++{{% if pkg_system == "rpm" %}} ++ ++ ++ ++ ++ yum ++ ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ yum ++ ++{{% endif %}} ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index 8d7a4cc290..94d9d8c180 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -381,6 +381,7 @@ + "pam": "cpe:/a:pam", + "shadow-utils": "cpe:/a:shadow-utils", + "systemd": "cpe:/a:systemd", ++ "yum": "cpe:/a:yum", + } + + # Application constants + +From b7250b641c3d533d10a8e633094cf6421b0c34dc Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 8 Apr 2019 18:00:19 +0200 +Subject: [PATCH 11/11] Update rhel7 cpe-dictionary + +--- + rhel7/cpe/rhel7-cpe-dictionary.xml | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index 44fe06f103..d64c18e846 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -47,9 +47,34 @@ + + installed_env_is_a_machine +
    ++ ++ Package libuser is installed ++ ++ installed_env_has_libuser_package ++ ++ ++ Package nss-pam-ldapd is installed ++ ++ installed_env_has_nss-pam-ldapd_package ++ ++ ++ Package pam is installed ++ ++ installed_env_has_pam_package ++ + + Package shadow-utils is installed + + installed_env_has_shadow-utils_package + ++ ++ Package systemd is installed ++ ++ installed_env_has_systemd_package ++ ++ ++ Package yum is installed ++ ++ installed_env_has_yum_package ++ + diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch b/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch new file mode 100644 index 0000000..0e1bcdb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch @@ -0,0 +1,41 @@ +From 51b6c4c3476608e298c65d402f6d897f1dd6b1aa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Apr 2019 17:57:39 +0200 +Subject: [PATCH] Set various platform package CPE + +--- + .../accounts_password_pam_maxrepeat.rule | 2 ++ + .../accounts-session/accounts_have_homedir_login_defs.rule | 2 ++ + .../restrictions/coredumps/disable_users_coredumps.rule | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule +index d23b1d99d0..925288b4f3 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule +@@ -46,3 +46,5 @@ ocil: |- +
    $ grep maxrepeat /etc/security/pwquality.conf
    + Look for the value of the maxrepeat parameter. The DoD requirement is 3, which would appear as + maxrepeat=3. ++ ++platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule +index 300f409ca3..215565460c 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule +@@ -32,3 +32,5 @@ ocil: |- +

    +
    $ sudo grep create_home /etc/login.defs
    +

    ++ ++platform: shadow-utils +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule +index 99c2521afa..0e30d0d7ee 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule +@@ -37,3 +37,5 @@ ocil: |- +
    $ grep core /etc/security/limits.conf
    + The output should be: +
    *     hard   core    0
    ++ ++platform: pam diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch b/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch new file mode 100644 index 0000000..4b69b63 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch @@ -0,0 +1,158 @@ +From 2e618f9239de966ec167f7b43ae854650a3421ad Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Apr 2019 18:05:15 +0200 +Subject: [PATCH 1/3] Introduce CPE shadow-utils + +- Add inventory OVAL check for shadow-utils package installed +- Add shadow-utils CPE to RHEL7 dictionary +--- + rhel7/cpe/rhel7-cpe-dictionary.xml | 5 ++++ + ...installed_env_has_shadow-utils_package.xml | 24 +++++++++++++++++++ + 2 files changed, 29 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_shadow-utils_package.xml + +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index 23541378f8..44fe06f103 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -47,4 +47,9 @@ + + installed_env_is_a_machine + ++ ++ Package shadow-utils is installed ++ ++ installed_env_has_shadow-utils_package ++ + +diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml +new file mode 100644 +index 0000000000..12dd5bd565 +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml +@@ -0,0 +1,24 @@ ++ ++ ++ ++ Package shadow-utils is installed ++ ++ multi_platform_all ++ ++ Checks if package shadow-utils is installed. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ shadow-utils ++ ++ ++ + +From 06650f96e4e880c90a23eaf565e70d37a175aa47 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Apr 2019 18:10:33 +0200 +Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed + +If package shadow-utils is not installed, the rule will result in +notapplicable. +--- + .../account_disable_post_pw_expiration.rule | 2 ++ + .../accounts_maximum_age_login_defs.rule | 2 ++ + .../accounts_minimum_age_login_defs.rule | 2 ++ + .../accounts_password_minlen_login_defs.rule | 2 ++ + .../accounts_password_warn_age_login_defs.rule | 2 ++ + .../accounts-session/accounts_logon_fail_delay.rule | 2 ++ + 6 files changed, 12 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule +index 9d19274f1c..d8b29b6436 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule +@@ -62,3 +62,5 @@ ocil: |- + to an appropriate integer as shown in the example below: +
    $ grep "INACTIVE" /etc/default/useradd
    +     INACTIVE=
    ++ ++platform: shadow-utils +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule +index 90dc1b4f2b..de322bc787 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule +@@ -55,3 +55,5 @@ ocil: |- +
    $ grep PASS_MAX_DAYS /etc/login.defs
    + The DoD and FISMA requirement is 60. + A value of 180 days is sufficient for many environments. ++ ++platform: shadow-utils +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule +index 88706c8b3e..dd7030cd0a 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule +@@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value' + ocil: |- + To check the minimum password age, run the command: +
    $ grep PASS_MIN_DAYS /etc/login.defs
    ++ ++platform: shadow-utils +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule +index 814fda94b9..d38ee253fb 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule +@@ -51,3 +51,5 @@ ocil: |- + To check the minimum password length, run the command: +
    $ grep PASS_MIN_LEN /etc/login.defs
    + The DoD requirement is 15. ++ ++platform: shadow-utils +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule +index d8947ad9fd..85b5cd762f 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule +@@ -40,3 +40,5 @@ ocil: |- + To check the password warning age, run the command: +
    $ grep PASS_WARN_AGE /etc/login.defs
    + The DoD requirement is 7. ++ ++platform: shadow-utils +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule +index 171051e138..33fc873e97 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule +@@ -37,3 +37,5 @@ ocil: |- + All output must show the value of FAIL_DELAY set as shown in the below: +
    $ sudo grep -i "FAIL_DELAY" /etc/login.defs
    +     fail_delay 
    ++ ++platform: shadow-utils + +From 63ab7328a57c185734037a124eab2ab8ac740e82 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Apr 2019 18:14:58 +0200 +Subject: [PATCH 3/3] Map shadow-utils platform to CPE name + +--- + ssg/constants.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssg/constants.py b/ssg/constants.py +index b80382be3d..f96fd51790 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -375,7 +375,8 @@ + + XCCDF_PLATFORM_TO_CPE = { + "machine": "cpe:/a:machine", +- "container": "cpe:/a:container" ++ "container": "cpe:/a:container", ++ "shadow-utils": "cpe:/a:shadow-utils", + } + + # Application constants diff --git a/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch b/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch new file mode 100644 index 0000000..95b0180 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch @@ -0,0 +1,53 @@ +From f984d1cee639ddc2d1249f07151687f552400e3a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 11 Apr 2019 13:49:44 +0200 +Subject: [PATCH 1/5] Update rhel dictionaries + +--- + rhel6/cpe/rhel6-cpe-dictionary.xml | 35 ++++++++++++++++++++++++++++++ + 3 files changed, 105 insertions(+) + +diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml +index b5aa6f2b35..7e1f711459 100644 +--- a/rhel6/cpe/rhel6-cpe-dictionary.xml ++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml +@@ -37,4 +37,39 @@ + + installed_env_is_a_machine + ++ ++ Package gdm is installed ++ ++ installed_env_has_gdm_package ++ ++ ++ Package libuser is installed ++ ++ installed_env_has_libuser_package ++ ++ ++ Package nss-pam-ldapd is installed ++ ++ installed_env_has_nss-pam-ldapd_package ++ ++ ++ Package pam is installed ++ ++ installed_env_has_pam_package ++ ++ ++ Package shadow-utils is installed ++ ++ installed_env_has_shadow-utils_package ++ ++ ++ Package systemd is installed ++ ++ installed_env_has_systemd_package ++ ++ ++ Package yum is installed ++ ++ installed_env_has_yum_package ++ + diff --git a/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch b/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch new file mode 100644 index 0000000..7e5961c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch @@ -0,0 +1,1007 @@ +commit 470fb4275710c828f3cdd91ce65c69f78e2e6451 +Author: Gabriel Becker +Date: Fri Apr 5 16:28:44 2019 +0200 + + Mark rules not applicable for container as machine only. + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml +index 6acdd02..79d7023 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml +@@ -10,3 +10,5 @@ description: |- + controls and perform some logging. It has been largely obsoleted by other + features, and it is not installed by default. The older Inetd service + is not even available as part of {{{ full_name }}}. ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule +index 5c58455..815097b 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule +@@ -37,5 +37,3 @@ ocil: |- + To verify the operating system has the packages required for multifactor + authentication installed, run the following command: +
    $ sudo yum list installed esc pam_pkcs11 authconfig-gtk
    +- +-platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule +index e4c0870..5b01b62 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule +@@ -41,5 +41,3 @@ references: + ocil_clause: 'non-exempt accounts are not using CAC authentication' + + ocil: "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication.\nFor DoD systems, the following systems and accounts are exempt from using\nsmart card (CAC) authentication:\n
      \n
    • SIPRNET systems
    • \n
    • Standalone systems
    • \n
    • Application accounts
    • \n
    • Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
    • \n
    • Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
    • \n
    • Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
    • \n
    " +- +-platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule +index c68db6d..9af1126 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule +@@ -42,5 +42,3 @@ ocil: |- +
    cert_policy = ca, ocsp_on, signature;
    +     cert_policy = ca, ocsp_on, signature;
    +     cert_policy = ca, ocsp_on, signature;
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule +index 98fb3f8..b3bba5b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule +@@ -58,4 +58,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule +index 77be3c4..c3e5036 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule +index e530ea9..76bb69d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule +index 2410fc9..502e3a0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule +index 4f0c7e7..d980704 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule +index 12d51f8..99d2083 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule +index b0ff227..bda4448 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule +index 4e19015..e5ba297 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule +index 39fb8bd..d88a48f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule +index 52d0c85..0b0100e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule +index f7ffae4..07222b0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule +index 3ff38cf..f27667d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule +@@ -61,4 +61,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule +index da633bd..ccc90e8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule +@@ -56,4 +56,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule +index f2c7891..8e40014 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule +@@ -47,5 +47,3 @@ ocil: |- +
    $ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
    + The output should return something similar to: +
    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule +index ea42555..2a97b84 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule +@@ -46,5 +46,3 @@ ocil: |- +
    $ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*
    + The output should return something similar to: +
    -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule +index dd62afa..c2aedce 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule +@@ -47,5 +47,3 @@ ocil: |- +
    $ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
    + The output should return something similar to: +
    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule +index 2804b8d..247453e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule +@@ -47,5 +47,3 @@ ocil: |- +
    $ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
    + The output should return something similar to: +
    -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule +index d110f8a..916af4c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule +@@ -66,4 +66,3 @@ warnings: +
  • audit_rules_file_deletion_events_unlinkat
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule +index 51b1d54..80eb011 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule +@@ -41,4 +41,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="rename") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule +index 96133fc..b219eda 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule +@@ -41,4 +41,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule +index 21abd3a..37e7fb2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule +@@ -41,4 +41,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule +index 25c2ec2..7c392bc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule +@@ -41,4 +41,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule +index 390a4e5..793f9b0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule +@@ -41,4 +41,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule +index 370fbab..58e81a1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule +@@ -39,4 +39,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule +index d86680d..992bce9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule +@@ -37,4 +37,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule +index 01de6c8..7631ecd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule +@@ -38,4 +38,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule +index 9610d30..3c4e05f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule +@@ -41,5 +41,3 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule +index bd266b8..8ce37aa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule +@@ -41,5 +41,3 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe"
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule +index b913129..7ab7824 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule +@@ -41,5 +41,3 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule +index 11d187d..20edbdf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule +@@ -54,4 +54,3 @@ warnings: +
  • audit_rules_login_events_lastlog
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule +index b730fdd..78f9d91 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule +@@ -43,5 +43,3 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/faillock"
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule +index 83c5cb7..6c1919d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule +@@ -43,5 +43,3 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/lastlog"
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule +index 9a9770a..b0eed40 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule +@@ -43,5 +43,3 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/tallylog"
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule +index 3815429..b6ec543 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule +@@ -82,4 +82,3 @@ warnings: +
  • audit_rules_privileged_commands_passwd
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule +index 9d6c828..5d0478a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule +@@ -49,4 +49,3 @@ ocil: |- +
    $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule +index ac5c38a..e89b93f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule +@@ -49,4 +49,3 @@ ocil: |- +
    $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule +index 03bcb6c..dfffee9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule +@@ -49,4 +49,3 @@ ocil: |- +
    $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule +index 5c8c407..7d77eb9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule +index b8f8e5c..e97e83c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule +index fda2e0c..6398885 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule +@@ -49,4 +49,3 @@ ocil: |- +
    $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule +index cb41772..fc955cd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule +index 6f3f787..1f55e04 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule +@@ -49,4 +49,3 @@ ocil: |- +
    $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule +index d6f4eeb..91a9d64 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule +@@ -49,4 +49,3 @@ ocil: |- +
    $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule +index 21e0a11..293a033 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule +@@ -47,4 +47,3 @@ ocil: |- +
    $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule +index fa7ff2b..4bb59ae 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule +index d791805..7c2e986 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule +index e8b3585..4103c8a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule +index 8984a84..6f2fd62 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule +index 5b636ea..db6d4db 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule +@@ -49,4 +49,3 @@ ocil: |- +
    $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule +index 205bf97..743ea9f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule +index 91f31f3..97c3683 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule +@@ -50,4 +50,3 @@ ocil: |- +
    $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule +index 2c42c74..991abcf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule +@@ -37,5 +37,3 @@ references: + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) + nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5 + pcidss: Req-10.5.2 +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule +index 5952dbb..0636d42 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule +@@ -48,4 +48,3 @@ ocil: |- + configuration, a line should be returned (including + perm=wa indicating permissions that are watched). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule +index 28c64ca..2ec5b8d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule +@@ -51,4 +51,3 @@ ocil: |- + To verify that auditing is configured for all media exportation events, run the following command: +
    $ sudo auditctl -l | grep syscall | grep mount
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule +index 55e1893..9ee65de 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule +@@ -56,4 +56,3 @@ ocil: |- + If the system is configured to watch for network configuration changes, a line should be returned for + each file specified (and perm=wa should be indicated for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule +index 017a053..e63f61a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule +@@ -41,5 +41,3 @@ references: + nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 + ospp@rhel7: FAU_GEN.1.1.c + pcidss: Req-10.2.3 +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule +index 3be1932..15c33a2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule +@@ -47,5 +47,3 @@ ocil_clause: 'there is not output' + ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d"
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule +index d40c9df..7be7503 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule +@@ -47,4 +47,3 @@ ocil: |- + The output should contain: +
    -f 2
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule +index 2838470..2278906 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule +@@ -69,4 +69,3 @@ warnings: +
  • audit_rules_usergroup_modification_passwd
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule +index 143e63b..1a5251f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule +@@ -53,4 +53,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule +index 5e14989..0d54b2f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule +@@ -53,4 +53,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule +index 9e7ce3d..0567184 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule +@@ -53,4 +53,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule +index 76bce57..1c97a40 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule +@@ -53,4 +53,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule +index 74819f5..4076bac 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule +@@ -53,4 +53,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule +index 9dc2ceb..6e86964 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule +@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="adjtimex") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule +index 436f5f0..66e7f7c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule +@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="clock_settime") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule +index 22ec976..654fd13 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule +@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="settimeofday") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule +index 0572156..4c0ca3c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule +@@ -58,4 +58,3 @@ ocil: |- + If the system is 64-bit only, this is not applicable
    + {{{ complete_ocil_entry_audit_syscall(syscall="stime") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule +index 2fb8f7d..d4c02a2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule +@@ -51,4 +51,3 @@ ocil: |- +
    $ sudo auditctl -l | grep "watch=/etc/localtime"
    + If the system is configured to audit this activity, it will return a line. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule +index ea42793..1e2437a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule +@@ -70,4 +70,3 @@ warnings: +
  • audit_rules_unsuccessful_file_modification_creat
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule +index a328ff9..bd91a9f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule +@@ -55,4 +55,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule +index 6229398..8fadeaa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule +@@ -55,4 +55,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule +index 13f12fe..656de99 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule +@@ -55,4 +55,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule +index ce4193a..30ee748 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule +@@ -55,4 +55,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule +index 6f3c38a..532f355 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule +@@ -55,4 +55,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule +index f6e0263..d7d37ac 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule +@@ -55,4 +55,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule +index acf6fc6..b892c5a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule +@@ -31,3 +31,5 @@ ocil: |- + /var/log/audit directory, run the following command: +
    $ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
    + If the system is configured to audit this activity, it will return a line. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule +index 14d41d0..543f887 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule +@@ -34,4 +34,3 @@ ocil: |- + {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} + {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule +index 319b1bb..39ddc5b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule +@@ -36,4 +36,3 @@ ocil: |- +
    $ sudo ls -l /var/log/audit
    + Audit logs must be mode 0640 or less permissive. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule +index 94af473..c5cf669 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule +@@ -38,4 +38,3 @@ ocil: |- + is an IP address or hostname: +
    remote_server = REMOTE_SYSTEM
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule +index 502843d..e4e96d4 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule +@@ -41,4 +41,3 @@ ocil: |- + Acceptable values also include syslog and + halt. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule +index 07d36df..94292ff 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule +@@ -34,5 +34,3 @@ ocil: |- +
    $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf
    + The output should return the following: +
    enable_krb5 = yes
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule +index 7fc5566..79b8909 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule +@@ -41,4 +41,3 @@ ocil: |- + Acceptable values also include syslog and + halt. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule +index c2891ab..75edf6a 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule +@@ -40,5 +40,3 @@ ocil: |- + To verify the audispd's syslog plugin is active, run the following command: +
    $ sudo grep active /etc/audisp/plugins.d/syslog.conf
    + If the plugin is active, the output will show yes. +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule +index cabdc03..3b45bc2 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule +@@ -44,4 +44,3 @@ ocil: |- + account when it needs to notify an administrator: +
    action_mail_acct = root
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule +index 7bad632..46102a1 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule +@@ -49,4 +49,3 @@ ocil: |- + or halt when disk space has run low: +
    admin_space_left_action single
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule +index 5475a85..a070c4a 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule +@@ -38,4 +38,3 @@ ocil: |- + Acceptable values are DATA, and SYNC. The setting is + case-insensitive. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule +index 06ec11d..b123481 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule +@@ -41,4 +41,3 @@ ocil: |- + $ sudo grep max_log_file /etc/audit/auditd.conf +
    max_log_file = 6
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule +index 609ca46..1c90f9e 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule +@@ -52,4 +52,3 @@ ocil: |- + $ sudo grep max_log_file_action /etc/audit/auditd.conf +
    max_log_file_action rotate
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule +index 5b1debc..619b19e 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule +@@ -40,4 +40,3 @@ ocil: |- + $ sudo grep num_logs /etc/audit/auditd.conf +
    num_logs = 5
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule +index d86ae02..c6fd4ea 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule +@@ -40,4 +40,3 @@ ocil: |- + determine if the system is configured correctly: +
    space_left SIZE_in_MB
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule +index 7b4360f..65523e0 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule +@@ -58,4 +58,3 @@ ocil: |- +
    space_left_action
    + Acceptable values are email, suspend, single, and halt. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_argument.rule +index 29c451c..68d4f49 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument.rule ++++ b/linux_os/guide/system/auditing/grub2_audit_argument.rule +@@ -57,5 +57,3 @@ warnings: +
  • On UEFI-based machines, issue the following command as root: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • + +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule +index 361a6b9..82cd257 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule +@@ -49,3 +49,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled.rule b/linux_os/guide/system/auditing/service_auditd_enabled.rule +index ce32390..058a689 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled.rule ++++ b/linux_os/guide/system/auditing/service_auditd_enabled.rule +@@ -42,4 +42,3 @@ references: + + ocil: '{{{ ocil_service_enabled(service="auditd") }}}' + +-platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule +index 492d2e7..eb56d1c 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule +@@ -17,3 +17,5 @@ references: + anssi: NT28(R23) + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule +index 8773f24..d9d53c2 100644 +--- a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule ++++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule +@@ -47,3 +47,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule +index 9056613..b72c6b5 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule +@@ -50,3 +50,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule +index ea982ee..970025d 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule +@@ -50,3 +50,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule +index a8fc871..463cda6 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule +@@ -15,3 +15,4 @@ severity: unknown + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} + ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule +index 67b7ff8..44febe9 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule +@@ -17,3 +17,4 @@ severity: unknown + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} + ++platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles.rule b/linux_os/guide/system/selinux/selinux_user_login_roles.rule +index 47690e0..65cbf1f 100644 +--- a/linux_os/guide/system/selinux/selinux_user_login_roles.rule ++++ b/linux_os/guide/system/selinux/selinux_user_login_roles.rule +@@ -54,3 +54,5 @@ ocil: |- + All authorized non-administrative + users must be mapped to the user_u role or the appropriate domain + (user_t). ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/group.yml b/linux_os/guide/system/software/integrity/fips/group.yml +index 75916e9..e9ff7cb 100644 +--- a/linux_os/guide/system/software/integrity/fips/group.yml ++++ b/linux_os/guide/system/software/integrity/fips/group.yml +@@ -14,3 +14,5 @@ description: |- + Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux. +

    + See {{{ weblink(link="http://csrc.nist.gov/publications/PubsFIPS.html") }}} for more information. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule +index c1223d6..4f70107 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule +@@ -60,5 +60,3 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. +- +-platform: machine diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index f0a7cd7..23f6dc8 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.%{redhatssgversion} -Release: 12%{?dist} +Release: 13%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base @@ -47,6 +47,15 @@ Patch31: scap-security-guide-0.1.41-sysctl_kernel.patch Patch32: scap-security-guide-0.1.41-kptr_restrict.patch Patch33: scap-security-guide-0.1.41-grub2_bootloader_arguments.patch Patch34: scap-security-guide-0.1.41-profile_title_rename_etc.patch +Patch35: scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch +Patch36: scap-security-guide-0.1.42-mark_rules_as_machine_only.patch +Patch37: scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch +Patch38: scap-security-guide-0.1.44-cpe-shadow-utils.patch +Patch39: scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch +Patch40: scap-security-guide-0.1.44-cpe-gdm.patch +Patch41: scap-security-guide-0.1.44-cpe-remaining.patch +Patch42: scap-security-guide-0.1.44-update-cpe-dictionary.patch + BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML @@ -110,6 +119,14 @@ mkdir build %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 %build mkdir -p build && cd build @@ -159,6 +176,10 @@ cd build %doc build/guides/ssg-*-guide-*.html %changelog +* Thu Apr 11 2019 Gabriel Becker - 0.1.40-13 +- Added support to platform tag and mark rules as machine only (RHBZ#1698752) +- Fix content support for UBI-Minimal (RHBZ#1698751) + * Tue Sep 25 2018 Watson Yuuma Sato - 0.1.40-12 - Fix malformed patch for removal of abrt and sendmail (RHBZ#1619689)